Transcript VPN and NAT
VPN and NAT
• We have been viewing the Internet as a collection of
interconnected networks
• In reality, many organizations have private internets
interconnected by the Internet
Organization A’s
private network
Internet
Organization B’s
private network
A Single-Level Internet
• A collection of interconnected networks:
A Single-Level Internet (cont)
• Problem: privacy
Site 1 of
Organization A
Internet
Site 2 of
Organization A
Solution #1
• A private network – an isolated TCP/IP
internet separate from the Internet
– Can use arbitrary IP addresses (usually private IPs)
Organization A’s
private network
Internet
Solution #2
• A hybrid network:
– Use globally valid IP addresses
– Internal hosts can communicate with hosts on the
Internet
– Communications among internal hosts are private
Solution #3
• A Virtual Private Network (VPN):
– Communication between any pair of computers in the
VPN remains private
– Virtual – uses the Internet to carry traffic from one part
of the VPN to another
VPN tunnel
Site 1 of
Organization A
Internet
Site 2 of
Organization A
A Virtual Private Network
• How it works:
– Tunneling: agreement by two routers to exchange
datagrams
• IP-in-IP encapsulation
– Encryption: the encapsulated datagram is scrambled so
that intermediate hosts/routers cannot read it
VPN – Addressing and Routing
• A hybrid network
• The VPN tunnel replaces the leased circuit
VPN – Addressing and Routing (cont)
• Example: a datagram from 128.10.2.0 to 128.210.0.0:
– Sent to R2, then R1, then tunneled to R3, then R4
Distributed Private Network
• VPN can be used to create a distributed private
network:
– Internal hosts are isolated from Internet
– Hosts can be assigned private addresses
– Each site needs one globally valid IP address for
tunneling
Distributed Hybrid Network
• Internal hosts can communicate with hosts on the
Internet
• Communications among internal hosts are private
• How to make it work?
Application Gateways
• An application gateway is a program that acts as
a middleman for a particular service
• Typically run on multi-homed host that is the
gateway between internal hosts and the Internet
– Internal hosts send requests to the application gateway
– Application gateway passes the request to the
destination host
– Destination host sends reply to the application gateway
– Application gateway passes reply to originating internal
host
Application Gateways
• Advantage:
– Does not require changes to:
• The network infrastructure
• The addressing scheme
• Disadvantage:
– Not general:
• Each application gateway handles a specific service
• A different application gateway program is required
for each different service
Network Address Translation
• Network Address Translation (NAT) is software
that translates addresses in incoming and outgoing
datagrams
– P = private address
– G = globally-valid IP address
Organization A’s
private network
P
NAT box
G
Internet
NAT (cont)
• The NAT box acts as a middleman between
internal and external hosts:
– Outgoing datagrams:
• Source IP address is replaced with G
– Incoming datagrams:
• Destination IP address is replaced with the private IP
address of the correct host
– How does the NAT box know which is the “correct” host
when it receives a reply from an external host?
NAT Translation Table
• The NAT software maintains a translation table that tells it what
internal hosts are communicating with what external hosts
External IP Address
Internal IP Address
134.126.24.210
10.1.0.1
134.126.14.32
10.1.0.3
134.126.8.7
10.2.0.2
134.126.43.111
10.1.0.8
• When a datagram arrives from 134.126.14.32 the destination adress
should be translated to 10.1.0.3
Translation Table Initialization
• How (and when) are entries placed in the
translation table?
– Manually
• Good: permanent mappings, connections can
originate either inside or outside
• Bad: difficult to maintain
Translation Table Initialization (cont)
• How (and when) are entries placed in the
translation table?
– During translation of outgoing datagrams
• Good: automatic
• Bad: external hosts cannot initiate connections
Translation Table Initialization (cont)
• How (and when) are entries placed in the
translation table?
– In response to an incoming name lookup
• Good:
– Automatic
– External hosts can initiate connections
• Bad
– Requires modification to DNS server software
– External hosts must perform a name lookup prior to
sending datagrams to internal hosts
Shortcoming of NAT Translation Table
• What if two different internal hosts want to
communicate with the same external host
(134.126.24.210)?
– Not clear which one to send replies to:
External IP Address
Internal IP Address
134.126.24.210
10.1.0.1
134.126.14.32
10.1.0.3
134.126.24.210
10.2.0.2
134.126.43.111
10.1.0.8
Network Address Port Translation
• Network Address Port Translation (NAPT) expands the
table to include additional fields:
• Note: two internal hosts (10.0.0.5 and 10.0.0.1) are both
accessing port 80 on 128.10.19.20
– NAPT translates both addresses and ports to avoid ambiguity
Network Address Port Translation (cont)
• Note: both the IP address and the port number are translated:
– Datagrams from port 21023 on 10.0.0.5 are sent to 128.10.19.20 as if they
came from port 14003 on the NAT box
– Replies from 128.10.19.20 to port 14003 on the NAT box are forwarded to
10.0.0.5
– Datagrams from port 386 on 10.0.0.1 are sent to 128.10.19.20 as if they
came from port 14010 on the NAT box
– Replies from 128.10.19.20 to port 14010 on the NAT box are forwarded to
10.0.0.1
NAT (cont)
• Advantages:
– General: internal hosts can access an arbitrary service
on an external host
– Transparent to internal and external hosts
– Helps conserve IP addresses
– Shields internal host IP addresses
• Disadvantage:
– Interaction with higher-layer protocols
• ICMP
• FTP
Summary
• A Virtual Private Network (VPN) sends data
across the Internet, but encrypts intersite
transmissions to guarantee privacy
• Network Address Translation (NAT) provides
transparent IP-level access to the Internet from a
host with a private address
– There are variants of NAT, including Network Address
Port Translation (NAPT) which translates protocol
port numbers as well as IP addresses