Transcript Chapter 20

Private Network Interconnection
Chapter 20
Introduction
• Privacy in an internet is a major concern
– Contents of datagrams that travel across the Internet
may be viewed as they pass across networks owned by
other organizations
• Internal datagrams are those sent between computers within
an organization
• External datagrams are those sent between computers in
different organizations
– The goal is to keep internal datagrams private, while
allowing external communication
Private and Hybrid Networks
• Private Networks
– Use routers to connect networks at each site, and leased digital
circuits to interconnect the sites
– Can use arbitrary IP addresses
– Are isolated from the Internet
• Hybrid Networks
– Use valid IP addresses , and sites are connected to the Internet
– Assured of privacy when communicating internally
– See the leased circuit and connections to the Internet in Figure 20.1
• Both are expensive, may lease T1 lines
Virtual Private Networks
• A VPN uses the Internet to connect sites
• Communication between computers in the VPN is
concealed from outsiders
– tunneling using IP-in-IP encapsulation
– datagrams are encrypted before they are encapsulated
• outsiders cannot decrypt because they do not have an
encryption key
VPN Addressing and Routing
• A VPN routes data through a tunnel
– See routing table for R1 which handles tunneling in
Figure 20.3
– Example
• A computer on network 128.10.2.0 sends a datagram to a
computer on network 128.210.0.0
• The datagram is forwarded to R2 which forwards it to R1
• R1 encrypts the datagram, encapsulates it in the data portion of
an outer datagram with destination R3, and forwards the outer
datagram through the local ISP and across the Internet
• R3 recognizes the datagram as tunneled from R1
• R3 decrypts the data area and forwards it to R4 for delivery
A VPN with Private Addresses
• A VPN offers the same addressing options as a
private network
– If Internet connectivity is not used, arbitrary IPs can be
assigned
– If Internet connectivity is used, a hybrid addressing
scheme can be used
– But when private addressing is used, one valid IP
address is needed at each site for tunneling
• In Figure 20.4, site 1 uses subnet 10.1.0.0/16 and site 2 uses
subnet 10.2.0.0/16
• Two valid IP addresses are required for connection to Internet
A VPN with Private Addresses
• How can a site provide access to the Internet
without assigning each host a valid IP address?
– Using an application gateway - each site has a multihomed host connected to the Internet (IP address) and
to the private network (private IP address)
• This host runs a set of application programs that
each handle one service
• Other hosts at the site send requests to the
application gateway which interacts with the
Internet
Network Address Translation
(NAT)
• Requires a site to have a single connection to the
Internet and at least one valid IP address, G
– Address G is assigned to a multi-homed computer that
connects to the Internet and runs NAT software
• called a NAT box
• all datagrams pass through on the way to/from the
Internet
– NAT translates the addresses in the datagrams by
• replacing the outgoing source address with G
• replacing the incoming destination address with its
private address
NAT Translation Table Creation
• How does NAT know the destination for an
incoming datagram?
– NAT maintains a translation table holding the IP
address of a host on the Internet and the internal IP
address of a host at the site
• How is the table initialized?
– Manually
– Outgoing datagrams - set when datagram is sent
– Incoming name lookups - set when domain names are
requested
NAT Translation Table Creation
• Figure 20.5 shows an ISP that serves dial-up
customers
– The ISP assigns an IP address to a custome when the
customer dials in
– NAT allows the ISP to assign private addresses
• 10.0.0.1, then 10.0.0.2, etc.
– When a customer sends a datagram to a destination on
the Internet, NAT uses the outoging datagram to
initialize its translation table
Multi-Address NAT
• The NAT box can be allowed to hold mutiple
Internet addresses
– Previously we only allowed a 1-to-1 address mapping
• At most one computer at the site has access to a
given machine on the Internet at any time
– This variation is multi-address NAT
•
•
•
•
A NAT box has a set of K valid addresses G1, G2, … Gk
When the first host accesses a destination, G1 is assigned
If another host accesses the same destination, G2 is assigned…
Thus, up to k internal hosts may access a destination at the
same time
Port-Mapped NAT
• This variation of NAT translates TCP or UDP port
numbers as well as addresses (NAPT)
– The table contains the source and destination IP
addresses and the source and destination protocol ports
– The tables also indicates a port number used by the
NAT box as shown in Figure 20.6
Interaction Between NAT and
ICMP
• NAT must handle ICMP
• Example
– When ping is used, ICMP sends an echo request and an
echo reply
– NAT does not forward all ICMP messages from the
Internet
• NAT determines whether the message is to be handled locally
or sent to an internal host
• Before forwarding, NAT translates the ICMP message
– ICMP’s destination unreachable is an example
Interaction Between NAT and
Applications
• NAT does not work with applications that send IP
addresses or protocol ports as data
– unless NAT is programmed to recognize the application
(like FTP) and make changes in the data
– most implementations of NAT only recognize a few
standard services
Slirp and Masquerade
• Two implementations of NAT came from UNIX
– slirp
• A computer with a provate address dials in
• The computer starts PPP and gets access to the Internet
– masquerade
• Can be configured to operate like a router between two
networks
Summary
• A VPN allows an organization to use the Internet to
connect to multiple sites
• It uses encryption to guarantee privacy
• A VPN can be isolated or hybrid
• To communicate between hosts in different address
domains
– application gateways
• act like proxy receiving requests from a host in one domain to
another in a different domain
– NAT provides access to the Internet from a host with a private
address
For Next Time
• Read Chapter 21