VPN and NAT IPv6 - The University of Sydney
Download
Report
Transcript VPN and NAT IPv6 - The University of Sydney
1
PRIVATE NETWORK
INTERCONNECTION
(NAT AND VPN)
&
IPv6
NETS3303/3603
Week 7
The University of Sydney
2
Expected outcomes
• Need for VPN
• How NAT also addressed address shortage
• Motivation for IPv6
– What’s wrong with IPv4
– How does IPv6 address this
• What else does IPv6 introduce
• Knowing about issues with transition from
v4 to v6
The University of Sydney
3
Definitions
• An internet is private if none of the
facilities or traffic is accessible to other
groups
• Involves using leased lines to interconnect
routers at various sites of the group
• The global Internet is public
– facilities shared by all subscribers
The University of Sydney
4
Hybrid Architecture
• Permits some traffic to go over private
connections
• Allows contact with global Internet
The University of Sydney
5
The Cost Of Private And
Public Networks
• Private network extremely expensive
• Public Internet access inexpensive
• Goal: combine safety of private network
with low cost of global Internet
• How can an organization that uses the
global Internet to connect its sites keep its
data private?
• Answer: Virtual Private Network (VPN)
The University of Sydney
6
Virtual Private Network
• Connect all sites to global Internet
• Protect data as it passes from one site to another
– Encryption
– IP-in-IP tunnelling
• A VPN sends across the Internet, but encrypts intersite
transmissions to guarantee privacy
The University of Sydney
7
Example Of VPN
Addressing And Routing
The University of Sydney
8
Example VPN With Private
Addresses
• Advantage: only one globally valid IP
address needed per site
The University of Sydney
9
General Access With
Private Addresses
• Question: how to provide multiple
computers at the site access to Internet
services without assigning each computer a
globally-valid IP address?
• Two answers
– Application gateway (one needed for each
service) through multi-homed host
– Network Address Translation (NAT)
The University of Sydney
10
Network Address
Translation (NAT)
• Extension to IP addressing
• IP-level access to the Internet through a
single IP address
• Transparent to both ends
• Implementation
– Typically software
– Usually installed in IP router
– Or special-purpose hardware for highest speed
The University of Sydney
11
Network Address
Translation (NAT) II
• Pioneered in Unix program slirp
• Also known as
– Masquerade (Linux)
– Internet Connection Sharing (Microsoft)
• Inexpensive implementations available for
home use
The University of Sydney
12
NAT Details
• Organization
– Obtains one globally valid address per Internet
connection
– Assigns nonroutable addresses internally (net 10)
– Runs NAT software in router connecting to Internet
• NAT
– Replaces source address in outgoing datagram
– Replaces destination address in incoming datagram
– Also handles higher layer protocols (e.g., pseudo
header for TCP or UDP)
The University of Sydney
13
NAT Translation Table
• NAT uses translation table
• Entry in table specifies local (private)
endpoint and global destination
• Typical paradigm
– Entry in table created as side-effect of
datagram leaving site
– Entry in table used to reverse address mapping
for incoming datagram
The University of Sydney
14
Example NAT Translation
Table
• Variant of NAT that uses protocol port
numbers is known as
– Network Address and Port Translation (NAPT)
The University of Sydney
15
Higher Layer Protocols And
NAT
• NAT must
–
–
–
–
–
Change IP headers
Possibly change TCP or UDP source ports
Recompute TCP or UDP checksums
Translate ICMP messages
Translate port numbers in an FTP session
The University of Sydney
16
Applications And NAT
• NAT affects ICMP, TCP, UDP, and other
higher-layer protocols; except for a few
standard applications like FTP
• An application protocol that passes IP
addresses or protocol port numbers as data
will not operate correctly across NAT
– p2p applications are major suffers
The University of Sydney
17
VPN Summary
• Virtual Private Networks (VPNs) combine the
advantages of low cost Internet connections with
the safety of private networks
– VPNs use encryption and tunnelling
• NAT allows a site to multiplex communication
with multiple computers through a single globally
valid IP address
• NAT uses a table to translate addresses in outgoing
and incoming datagrams
The University of Sydney
18
IPv6 and migration methods
NETS3303/3603
Week 7
The University of Sydney
19
IPv6 Motivation
• IPv4 address space 232
– About half assigned
– Introduction of data access for mobile through
3G/4G and other wireless devices
– By 2020, addresses may be exhausted!
• Clearly, we need a larger address space
The University of Sydney
20
IPv6, Background
•
•
•
•
RFC in 1994
Defined over 10 years ago!
128 bits per address (4 x IPv4)!
IPv6 address space 2128
– has 1024 addresses per square meter of the
Earth’s surface!
The University of Sydney
21
Major Changes From IPv4
• Larger addresses
• Extended address hierarchy
• Variable header format
– Facilities for many options
• Provision for protocol extension
• Support for resource allocation
The University of Sydney
22
General Form Of IPv6
Datagram
• Base header required
– 40 bytes
• Extension headers optional
The University of Sydney
23
0
4
Version
Traffic class
Payload length
IPv6 Header
12
16
31
24
Flow label
Next header
Hop limit
Source address
Destination address
• Fragmentation in extension header!
• Flow label intended for resource reservation
The University of Sydney
24
IPv6 Extension Headers
• Sender chooses zero or more extension
headers
• Only those facilities that are needed should
be included
The University of Sydney
25
Parsing An IPv6 Datagram
• Each header includes NEXT HEADER field
– NEXT HEADER operates like type field
The University of Sydney
26
IPv6 Fragmentation And
Reassembly
• Like IPv4
– Ultimate destination reassembles
• Unlike IPv4
– Routers avoid fragmentation
– Original source must fragment
– If too large, IPv6 router drops packet & sends
“Packet Too Big” ICMP error
The University of Sydney
27
How Can Original Source
Fragment?
• Option 1: choose minimum guaranteed
MTU of 1280 B
• Option 2: use path MTU discovery
The University of Sydney
28
Path MTU Discovery
• Guessing game!
• Source sends datagram without fragmenting
• If router cannot forward, router sends back
ICMP error message
• Source tries smaller MTU
• What are the consequences of the IPv6
design??
The University of Sydney
29
IPv6 Colon Hexadecimal
Notation
• Replaces dotted decimal
• Example: dotted decimal value
104.230.140.100.255.255.255.255.0.0.17.12
8.150.10.255.255
• Becomes
68E6:8C64:FFFF:FFFF:0:1180:96A:FFFF
The University of Sydney
30
Zero Compression
• Successive zeroes are indicated by a pair of
colons
• Example
– FF05:0:0:0:0:0:0:B3
• Becomes
– FF05::B3
The University of Sydney
31
IPv6 Destination
Addresses
• Three types
– Unicast (single host receives copy)
– Multicast (set of hosts each receive a copy)
– Anycast (set of hosts, one of which receives a
copy)
• Note: no broadcast (but special multicast
addresses (e.g.,‘‘all hosts on local wire’’)
The University of Sydney
32
Backward Compatibility
• Subset of IPv6 addresses encode IPv4 addresses
• Dotted hex notation can end with 4 octets in
dotted decimal
The University of Sydney
33
IPv6 Extension Headers
• Hop-by-hop Options
– Information for routers, e.g. jumbogram length
• Routing
– Source routing list
• Fragment
– Tells end host how to reassemble packets
• Authentication (for destination host)
• Encapsulating Security Payload
– For destination host, contains keys etc.
• Destination options (extra options for destination)
The University of Sydney
34
IPv6 Hierarchy
• IPv4 address space completely flat (no geographic
dependency)
• IPv6 semi-hierarchical (compare telephone
numbers)
– Top level routers have address ranges with regional
meaning in routing tables
– Next level routers have knowledge of ranges to
organisations (corporations, ISPs etc.)
– Site level routers have host and network specific
routing tables
The University of Sydney
35
Address high-level
architecture
• Format prefix at FRONT is variable length
Binary prefix
reserved
address-space-slice
reserved
00000000
1/256
unicast
001
1/8
link-local unicast 1111 1110 10
1/1024
site-local unicast 1111 1110 11
1/1024
multicast
1111 1111
1/256
The University of Sydney
36
IPv4 to v6 Migration
Methods
• dual-stacks, IPv6 and IPv4
• Tunnelling
• transition likely to take a very long time
The University of Sydney
37
Tunnelling
• tunnels: IPv6 internets can tunnel IPv6
packets over IPv4 networks, “short-term”
– IPv6 carried as payload in IPv4 datagram
among IPv4 routers
The University of Sydney
38
Tunnelling
Logical view:
Physical view:
A
B
IPv6
IPv6
A
B
C
IPv6
IPv6
IPv4
Flow: X
Src: A
Dest: F
data
A-to-B:
IPv6
The University of Sydney
E
F
IPv6
IPv6
D
E
F
IPv4
IPv6
IPv6
tunnel
Src:B
Dest: E
Src:B
Dest: E
Flow: X
Src: A
Dest: F
Flow: X
Src: A
Dest: F
data
data
B-to-E:
IPv6 inside
IPv4
B-to-E:
IPv6 inside
IPv4
Flow: X
Src: A
Dest: F
data
E-to-F:
IPv6
39
Dual Stack Approach
A
B
C
D
E
F
IPv6
IPv6
IPv4
IPv4
IPv6
IPv6
Flow: X
Src: A
Dest: F
Src:A
Dest: F
Src:A
Dest: F
Flow: ??
Src: A
Dest: F
data
data
data
data
B-to-C:
IPv4
B-to-C:
IPv4
B-to-C:
IPv6
A-to-B:
IPv6
The University of Sydney
40
Summary
• IETF has defined next version of IP to be
IPv6
• Addresses are 128 bits long
• Datagram starts with base header followed
by zero or more extension headers
• Sender performs fragmentation
The University of Sydney