Transcript 18: VPN, IPV6, NAT, MobileIP

12:
IP Multicast, VPN, IPV6, NAT,
MobileIP
Last Modified:
7/20/2015 4:44:02 PM
Adapted from Gordon Chaffee’s slides
http://bmrc.berkeley.edu/people/chaffee/advnet98/
4: Network Layer
4a-1
What is multicast?
 1 to N communication
 Bandwidth-conserving technology that
reduces traffic by simultaneously
delivering a single stream of information to
multiple recipients
 Examples of Multicast

Network hardware efficiently supports
multicast transport
• Example: Ethernet allows one packet to be received
by many hosts

Many different protocols and service models
• Examples: IETF IP Multicast, ATM Multipoint
4: Network Layer
4a-2
Unicast
 Problem
 Sending same data to
many receivers via
unicast is inefficient
 Example
 Popular WWW sites
become serious
bottlenecks
 Especially bad for
audio/video streams
Sender
R
4: Network Layer
4a-3
Multicast
 Efficient one to many
data distribution
Sender
R
4: Network Layer
4a-4
IP Multicast Introduction
 Efficient one to many data distribution
Tree style data distribution
 Packets traverse network links only once

 Location independent addressing
 IP address per multicast group
 Receiver oriented service model
 Applications can join and leave multicast groups
 Senders do not know who is listening
 Similar to television model
 Contrasts with telephone network, ATM
4: Network Layer
4a-5
IP Multicast
 Service
 All senders send at the same time to the same
group
 Receivers subscribe to any group
 Routers find receivers
 Unreliable delivery
 Reserved IP addresses
 224.0.0.0 to 239.255.255.255 reserved for
multicast
 Static addresses for popular services (e.g.
Session Announcement Protocol)
4: Network Layer
4a-6
Internet Group Management Protocol (IGMP)
 Protocol for managing group membership
 IP hosts report multicast group memberships to
neighboring routers
 Messages in IGMPv2 (RFC 2236)
• Membership Query (from routers)
• Membership Report (from hosts)
• Leave Group (from hosts)
 Announce-Listen protocol with Suppression
 Hosts respond only if no other hosts has
responded
 Soft State protocol
4: Network Layer
4a-7
IGMP Example (1)
1
3
Network 1
Network 2
Router
2
4
 Host 1 begins sending packets
 No IGMP messages sent
 Packets remain on Network 1
 Router periodically sends IGMP Membership Query
4: Network Layer
4a-8
IGMP Example (2)
Membership
Leave Report
Group
1
3
Network 1
Network 2
Router
2
4
 Host 3 joins conference
 Sends IGMP Membership Report message
 Router begins forwarding packets onto Network 2
 Host 3 leaves conference
 Sends IGMP Leave Group message
 Only sent if it was the last host to send an IGMP Membership
Report message
4: Network Layer
4a-9
Source Specific Filtering: IGMPv3
 Adds Source Filtering to group selection
Receive packets only from specific source
addresses
 Receive packets from all but specific source
addresses

 Benefits
 Helps prevent denial of service attacks
 Better use of bandwidth
 Status: Internet Draft?
4: Network Layer 4a-10
Multicast Routing Discussion
 What is the problem?
Need to find all receivers in a multicast group
 Need to create spanning tree of receivers

 Design goals
 Minimize unwanted traffic
 Minimize router state
 Scalability
 Reliability
4: Network Layer 4a-11
Data Flooding
 Send data to all nodes in network
 Problem
 Need to prevent cycles
 Need to send only once to all nodes in network
 Could keep track of every packet and check if it had
previously visited node, but means too much state
R2
R1
R3
Sender
4: Network Layer 4a-12
Reverse Path Forwarding (RPF)
 Simple technique for building trees
 Send out all interfaces except the one with
the shortest path to the sender
 In unicast routing, routers send to the
destination via the shortest path
 In multicast routing, routers send away
from the shortest path to the sender
4: Network Layer 4a-13
Reverse Path Forwarding Example
1. Router R1 checks: Did the data
packet arrive on the interface
with the shortest path to the
Sender? Yes, so it accepts the
packet, duplicates it, and
forwards the packet out all other
interfaces except the interface
that is the shortest path to the
sender (i.e the interface the
packet arrived on).
Sender
2. Router R2 accepts packets
sent from Router R1 because
that is the shortest path to the
Sender. The packet gets sent
out all interfaces.
R1
Drop
R2
3. Router R2 drops
packets that arrive from
Router R3 because that is
not the shortest path to
the sender. Avoids cycles.
R3
Drop
R4
R5
R6
R7
4: Network Layer 4a-14
Distance Vector Multicast Routing (DVMRP)
 Steve Deering, 1988
 Source rooted spanning trees
 Shortest path tree
 Minimal hops (latency) from source to receivers
 Extends basic distance vector routing
 Flood and prune algorithm
 Initial data sent to all nodes in network(!) using Reverse
Path Forwarding
 Prunes remove unwanted branches
 State in routers for all unwanted groups
 Periodic flooding since prune state times out (soft state)
4: Network Layer 4a-15
DVMRP Algorithm
 Truncated Reverse Path Multicast
 Optimized version of Reverse Path Forwarding
 Truncating
• No packets sent onto leaf networks with no receivers

Still how “truncated” is this?
 Pruning
 Prune messages sent if no downstream receivers
 State maintained for each unwanted group
 Grafting
 On join or graft, remove prune state and propagate graft
message
4: Network Layer 4a-16
Protocol Independent Multicast (PIM)
 Uses unicast routing table for topology
 Dense mode (PIM-DM)
 For groups with many receivers in local/global
region
 Like DVMRP, a flood and prune algorithm
 Sparse mode (PIM-SM)
 For groups with few widely distributed
receivers
 Builds shared tree per group, but may construct
source rooted tree for efficiency
 Explicit join
4: Network Layer 4a-17
IP Multicast in the Real World
4: Network Layer 4a-18
Commercial Motivation
 Problem
 Traffic on Internet is growing about 100% per year
 Router technology is getting better at 70% per year
 Routers that are fast enough are very expensive
 ISPs need to find ways to reduce traffic
 Multicast could be used to…
 WWW: Distribute data from popular sites to caches
throughout Internet
 Send video/audio streams multicast
 Software distribution
4: Network Layer 4a-19
ISP Concerns
 Multicast causes high network utilization
 One source can produce high total network load
 Experimental multicast applications are relatively high
bandwidth: audio and video
 Flow control non-existent in many multicast apps
 Multicast breaks telco/ISP pricing model
 Currently, both sender and receiver pay for bandwidth
 Multicast allows sender to buy less bandwidth while
reaching same number of receivers
 Load on ISP network not proportional to source data rate
4: Network Layer 4a-20
Economics of Multicast
 One packet sent to multiple receivers
 Sender
+ Benefits by reducing network load compared to
unicast
+ Lower cost of network connectivity
 Network service provider
- One packet sent can cause load greater than
unicast packet load
+ Reduces overall traffic that flows over network
 Receiver
= Same number of packets received as unicast
4: Network Layer 4a-21
Multicast Problems
 Multicast is immature
 Immature protocols and applications
 Tools are poor, difficult to use, debugging is difficult
 Routing protocols leave many issues unresolved
• Interoperability of flood and prune/explicit join
• Routing instability
 Multicast development has focused on academic
problems, not business concerns


Multicast breaks telco/ISP traffic charging and
management models
Routing did not address policy
• PIM, DVMRP, CBT do not address ISP policy concerns
• BGMP addresses some ISP concerns, but it is still under
development
4: Network Layer 4a-22
Current ISP Multicast Solution
 Restrict senders of multicast data
 Charge senders to distribute multicast
traffic

Static agreements
 Do not forward multicast traffic
 Some ISP’s offer multicast service to
customers (e.g. UUNET UUCast)
 ISP beginning to discuss peer agreements
4: Network Layer 4a-23
Multicast Tunneling
 Problem
Not all routers are multicast capable
 Want to connect domains with non-multicast
routers between them

 Solution
 Encapsulate multicast packets in unicast packet
 Tunnel multicast traffic across non-multicast
routers
 We will see more examples of tunneling later
4: Network Layer 4a-24
Multicast Tunneling Example (1)
Multicast Router 1
encapsulates multicast
packets for groups
that have receivers
outside of network 1.
It encapsulates them
as unicast IP-in-IP
packets.
Encapsulated
Data Packet
UR1
Multicast
Router 1
Sender 1
Multicast
Router 2
Multicast Router 2
decapsulates IP-in-IP
packets. It then
forwards them using
Reverse Path
Multicast.
UR2
Unicast Routers
Receiver
Network 2
Network 1
4: Network Layer 4a-25
Multicast Tunneling Example (2)
Virtual Network Topology
MR1
MR2
Virtual
Interfaces
4: Network Layer 4a-26
MBone
 MBONE
 Multicast capable virtual network, subset of Internet
 Native multicast regions connection with tunnels
 In 1992, the MBone was created to further the
development of IP multicast


Experimental, global multicast network
Served as a testbed for multicast applications
development
• vat -- audio tool
• vic -- video tool
• wb -- shared whiteboard
4: Network Layer 4a-27
Virtual Private Networks (VPN)
4: Network Layer 4a-28
Virtual Private Networks
 Definition

A VPN is a private network constructed within
the public Internet
 Goals
 Connect
private networks using shared public
infrastructure
 Examples
Connect two sites of a business
 Allow people working at home to have full
access to company network

4: Network Layer 4a-29
How accomplished?
 IP encapsulation and tunneling
 Same as we saw for Multicast
 Router at one end of tunnel places private
IP packets into the data field of new IP
packets (could be encrypted first for
security) which are unicast to the other
end of the tunnel
4: Network Layer 4a-30
Motivations
 Economic
 Using shared infrastructure lowers cost of networking
 Less of a need for leased line connections
 Communications privacy
 Communications can be encrypted if required
 Ensure that third parties cannot use virtual network
 Virtualized equipment locations
 Hosts on same network do not need to be co-located
 Make one logical network out of separate physical
networks
 Support for private network features
 Multicast, protocols like IPX or Appletalk, etc
4: Network Layer 4a-31
Examples
 Logical Network Creation
 Virtual Dial-Up
4: Network Layer 4a-32
Logical Network Creation
Example
Network 1
Gateway
Tunnel Gateway
Internet
Network 2
 Remote networks 1 and 2 create a logical
network
 Secure communication at lowest level
4: Network Layer 4a-33
Virtual Dial-up Example
Public Switched
Telephone Network
(PSTN)
Internet Service Provider
Gateway
Tunnel
Gateway
Internet
Home Network
Worker
Machine
 Worker dials ISP to get basic IP service
 Worker creates tunnel to Home Network
4: Network Layer 4a-34
IPv6
4: Network Layer 4a-35
History of IPv6
 IETF began thinking about the problem of
running out of IP addresses in 1991
 Requires changing IP packet format HUGE deal!
 While we’re at it, lets change X too
 “NGTrans” (IPv6 Transition) Working
Group of IETF - June 1996
4: Network Layer 4a-36
IPv6 Wish List
 From “The Case for IPv6”
 Scalable Addressing and Routing
 Support for Real Time Services
 Support of Autoconfiguration (get your
own IP address and domain name to
minimize administration
 Security Support
 Enhanced support for routing to mobile
hosts
4: Network Layer 4a-37
IPv4 Datagram
0
4
Version
8
HLen
16
TOS
31
Length
Ident
TTL
19
Flags
Protocol
Offset
Checksum
SourceAddr
DestinationAddr
Options (variable)
Pad
(variable)
Data
4: Network Layer 4a-38
IPv6 Datagram
0
4
Version
12
TrafficClass
PayloadLen
16
24
31
FlowLabel
NextHeader
HopLimit
SourceAddress
DestinationAddress
Next header/data
4: Network Layer 4a-39
IPv6 Base Header Format
 VERS = IPv6
 TRAFFICE CLASS: specifies the routing priority





or QoS requests
FLOW LABEL: to be used by applications
requesting performance guarantees
PAYLOAD LENGTH: like IPv4’s datagram length,
but doesn’t include the header length like IPv4
NEXT HEADER: indicates the type of the next
object in the datagram either type of extension
header or type of data
HOP LIMIT: like IPv4’s TimeToLive field but
named correctly
NO CHECKSUM (processing efficiency)
4: Network Layer 4a-40
Address Space
 32 bits versus 128 bits - implications?
4 billiion vesus 3.4 X1038
 1500 addresses per square foot of the earth
surface

4: Network Layer 4a-41
Addresses
 Still divide address into prefix that
designates network and suffix that
designates host
 But no set classes, boundary between
suffix and prefix can fall anywhere (CIDR
only)
 Prefix length associated with each address
4: Network Layer 4a-42
Addresses Types
 Unicast: delivered to a single computer
 Multicast: delivered to each of a set of
computers (can be anywhere)

Conferencing, subscribing to a broadcast
 Anycast: delivered to one of a set of
computers that share a common prefix

Deliver to one of a set of machines providing a
common servicer
4: Network Layer 4a-43
Address Notation
 Dotted sixteen?

105.67.45.56.23.6.133.211.45.8.0.7.56.45.3.189.
56
 Colon hexadecimal notation (8 groups)
 69DC:8768:9A56:FFFF:0:5634:343
 Or even better with zero compression
(replace run of all 0s with double ::)
 Makes host names look even more
attractive huh?
4: Network Layer 4a-44
Special addresses
 Ipv4 addresses all reserved for
compatibility

96 zeros + IPv4 address = valid IPv6 address
 Local Use Addresses
 Special prefix which means “this needn’t be
globally unique”
 Allow just to be used locally
 Aids in autoconfiguration
4: Network Layer 4a-45
Datagram Format
 Base Header + 0 to N Extension Headers +
Data Area
4: Network Layer 4a-46
Extensible Headers
 Why?
 Saves Space and Processing Time
 Only have to allocate space for and spend time
processing headers implementing features you
need
 Extensibility
 When add new feature just add an extension
header type - no change to existing headers
 For experimental features, only sender and
receiver need to understand new header
4: Network Layer 4a-47
Flow Label
 Virtual circuit like behaviour over a datagram network
 A sender can request the underlying network to establish a
path with certain requirements
• Traffic class specifies the general requirements (ex.
Delay < 100 msec.)
 If the path can be established, the network returns an
identifier that the sender places along with the traffic class
in the flow label
 Routers use this identifier to route the datagram along the
prearranged path
4: Network Layer 4a-48
ICMPv6
 New version of ICMP
 Additional message types, like “Packet Too
Big”
 Multicast group management functions
4: Network Layer 4a-49
Summary like IPv6
Connectionless (each datagram contains
destination address and is routed seperately)
 Best Effort (possibility for virtual circuit
behaviour)
 Maximum hops field so can avoid datagrams
circulating indefinitely

4: Network Layer 4a-50
Summary New Features
 Bigger Address Space (128 bits/address)
 CIDR only
 Any cast addresses
 New Header Format to help speed processing and
forwarding


Checksum: removed entirely to reduce processing time at
each hop
No fragmentation
 Simple Base Header + Extension Headers
 Options: allowed, but outside of header, indicated by
“Next Header” field
 Ability to influence the path a datagram will take
through the network (Quality of service)
4: Network Layer 4a-51
Transition From IPv4 To IPv6
 Not all routers can be upgraded
simultaneous
no “flag days”
 How will the network operate with mixed IPv4
and IPv6 routers?

 Two proposed approaches:
 Dual Stack: some routers with dual stack (v6,
v4) can “translate” between formats
 Tunneling: IPv6 carried as payload n IPv4
datagram among IPv4 routers
4: Network Layer 4a-52
Dual Stack Approach
4: Network Layer 4a-53
Tunneling
IPv6 inside IPv4 where needed
4: Network Layer 4a-54
6Bone
 The 6Bone: an IPv6 testbed
 Started as a virtual network using IPv6
over IPv4 tunneling/encapsulation
 Slowly migrated to native links fo IPv6
transport
 RFC 2471
4: Network Layer 4a-55
Recent History
 First blocks of IPv6 addresses delegated
to regional registries - July 1999
 10 websites in the .com domain that can be
reached via an IPv6 enhanced client via an
IPv6 TCP connection
(http://www.ipv6.org/v6-www.html) - it was
5 a year ago (not a good sign?)
4: Network Layer 4a-56
IPv5?
 New version of IP temporarily named “IP -
The Next Generation” or IPng
 Many competing proposals; name Ipng
became ambiguous
 Once specific protocol designed needed a
name to distinguish it from other proposals
 IPv5 has been assigned to an experimental
protocol ST
4: Network Layer 4a-57
Network Address Translation
(NAT)
4: Network Layer 4a-58
Background
 IP defines private intranet address ranges
 10.0.0.0 - 10.255.255.255 (Class A)
 172.16.0.0 - 172.31.255.255 (Class B)
 192.168.0.0 - 192.168.255.255 (Class C)
 Addresses reused by many organizations
 Addresses cannot be used for
communication on Internet
4: Network Layer 4a-59
Problem Discussion
 Hosts on private IP networks need to
access public Internet
 All traffic travels through a gateway
to/from public Internet
 Traffic needs to use IP address of
gateway
 Conserves IPv4 address space
 Private
IP addresses mapped into fewer public
IP addresses
 Will this beat Ipv6?
4: Network Layer 4a-60
Scenario
128.32.32.68
BMRC
Server
All Private Network hosts
must use the gateway IP
address
24.1.70.210
Gateway
Public Internet
Public network IP address,
globally unique
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
Host A
Private Network
Same private network IP
addresses may be used by
many organizations
4: Network Layer 4a-61
Network Address Translation
Solution
 Special function on gateway
 IP source and destination addresses are
translated
 Internal hosts need no changes
 No changes required to applications
 TCP based protocols work well
 Non-TCP based protocols more difficult
 Provides some security
 Hosts behind gateway difficult to reach
 Possibly vulnerable to IP level attacks
4: Network Layer 4a-62
NAT Example
NAT Gateway
TCP Connection 1
Address
Translator
TCP Connection 1
Server
128.32.32.68
bmrc.berkeley.edu
4: Network Layer 4a-63
TCP Protocol Diagram
SYN flag indicates a
new TCP connection
Client
Server
IP Header
SYN
SYN, ACK
ACK
.....
Checksum
Source IP Address
Destination IP Address
.....
Packet 0:50
ACK 0:50
FIN
FIN, ACK
TCP Header
Source Port Number Dest Port Number
Sequence Number
.....
4: Network Layer 4a-64
TCP NAT Example
PROTO
SADDR
DADDR
SPORT
DPORT
FLAGS
CKSUM
TCP
10.0.0.3
128.32.32.68
1049
80
SYN
0x1636
1. Host tries to connect
to web server at
128.32.32.68. It sends
out a SYN packet using
its internal IP address,
10.0.0.3.
NAT
Gateway
PROTO
SADDR
DADDR
SPORT
DPORT
FLAGS
CKSUM
TCP
128.32.32.68
10.0.0.3
80
1049
SYN, ACK
0x7841
TCP
24.1.70.210
128.32.32.68
40960
80
SYN
0x2436
2. NAT gateway sees SYN flag set,
adds new entry to its translation
table. It then rewrites the packet
using gateway’s external IP address,
24.1.70.210. Updates the packet
checksum.
2
1
10.0.0.3
PROTO
SADDR
DADDR
SPORT
DPORT
FLAGS
CKSUM
Internet
3
4 10.0.0.1 24.1.70.210
NAT Translation Table
Client
IPAddr
Port
10.0.0.3
1049
. . .
..
4. NAT gateway looks in its
translation table, finds a match
for the source and destination
addresses and ports, and
rewrites the packet using the
internal IP address.
Server
IPAddr
Port
128.32.32.68 80
. . .
..
NATPort
40960
. .
PROTO
SADDR
DADDR
SPORT
DPORT
FLAGS
CKSUM
Server
128.32.32.68
TCP
128.32.32.68
24.1.70.210
80
40960
SYN, ACK
0x8041
3. Server responds to SYN
packet with a SYN,ACK packet.
The packet is sent to the NAT
gateway’s IP address.
4: Network Layer 4a-65
Load Balancing Servers with
NAT
Public
Internet
Server
Server
Private
Intranet
Server
Server
 Single IP address for web server
 Redirects workload to multiple internal
servers
4: Network Layer 4a-66
Load Balancing Networks with
NAT
Service Provider 1
Private
Intranet
NAT
Gateway
Network X
Service Provider 2
 Connections from Private Intranet split
across Service Providers 1 and 2
 Load balances at connection level

Load balancing at IP level can cause low TCP
throughput
4: Network Layer 4a-67
NAT Discussion
 NAT works best with TCP connections
 NAT breaks End-to-End Principle by
modifying packets
 Problems
Connectionless UDP (Real Audio)
 ICMP (Ping)
 Multicast
 Applications use IP addresses within data
stream (FTP)

 Need to watch/modify data packets
4: Network Layer 4a-68
MobileIP
4: Network Layer 4a-69
MobileIP
 Goal: Allow machines to roam around and
maintain IP connectivity
 Problem: IP addresses => location

This is important for efficient routing
 Solutions?
 DHCP?
• ok for relocation but not for ongoing connections

Dynamic DNS (mobile nodes update name to IP
address mapping as they move around)?
• ok for relocation but not for ongoing connections
4: Network Layer 4a-70
Mobile IP
 Allows computer to roam and be reachable
 Basic architecture
 Home agent (HA) on home network
 Foreign agent (FA) at remote network location
 Home and foreign agents tunnel traffic
 Non-optimal data flow
4: Network Layer 4a-71
MobileIP
 Mobile nodes have a permanent home
address and a default local router called
the “home agent”
 The router nearest a nodes current
location is called the “foreign agent”
Register with foreign agent when connect to
network
 Located much like the DHCP server

4: Network Layer 4a-72
Forwarding Packets
 Home agent impersonates the mobile host
by changing the mapping from IP address
to hardware address (“proxy ARP”)
 Sends any packets destined for mobile
host on to the foreign agent with IP
encapsulation
 Foreign agent strips off and does a special
translation of the mobile nodes IP address
to its current hardware address
4: Network Layer 4a-73
Mobile IP Example
Foreign
Agent
18.86.0.253
Register Mobile Node
169.229.2.98
1. The Mobile Node registers itself with the Foreign
Agent on the Foreign Subnet. The Foreign Agent
opens an IP-IP tunnel to the Home Agent. The Home
Agent begins listening for packets sent to
169.229.2.98.
2. The Fixed Node initiates a connection to the
Mobile Node. It sends packets to the Mobile Node’s
home IP address, 169.229.2.98. The packets are
routed to the Home Subnet.
Foreign Subnet
Fixed Node
Internet
128.95.4.112
3. The Home Agent receives them, encapsulates
them in IP-IP packets, and it sends them to the
Foreign Agent. Encapsulated packets are addressed
to 18.86.0.253.
4. The Foreign Agent decapsulates the IP-IP packets,
and it sends them out on the Foreign Subnet. These
packets will be addressed to 169.229.2.98.
Home Subnet
Home
169.229.2.97
Agent
5. The Mobile Node receives the packets, and it
sends responses directly to the Fixed Node at
128.95.4.112.
4: Network Layer 4a-74
Avoiding the Foreign Agent
 Mobile host can also obtain a new IP
address on the remote network and inform
the home agent
 The home agent can then resend the
packet to the new IP address
4: Network Layer 4a-75
Optimizations
 What if two remote hosts are temporarily
close together
 If they want to send traffic to each other,
why should it have to go all the way to
their home agents and back again
 Optimizations exist to allow the sending
node to learn and cache the current
location of a recipient to avoid this
problem
4: Network Layer 4a-76
Roadmap
 Finished with the network layer and IP
specifics
 Next on to the link layer
 If two hosts are on the same network how
do they send data directly to one another
4: Network Layer 4a-77