Transcript ppt

Lecture powerpoints from the recommended textbook are by Lami Kaya, [email protected].
Lecture powerpoints are © 2009 Pearson Education Inc.
Their content has sometimes been edited by Andy Brooks.
NET0183 Networks and Communications
Lectures 21 and 22
Support Protocols: DHCP and NAT
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
1
The recommended textbook is Computer Networks and Internets by Douglas E. Comer
http://www.coursesmart.com/0136066992/?a=1773944
www.pearson-books.com/student (for additional discounts and offers)
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
2
23.10 Protocol Software, Parameters,
and Configuration
• When a host or router is powered on, the operating system
(OS) is started and the protocol software is initialized.
• For a router, the configuration manager loads a saved
configuration which specifies initial values for items such as:
– the IP address for each network connection
– the protocol software to run
– the forwarding table
• For a host, the configuration process is known as
bootstrapping.
– A protocol, known as the Bootstrap Protocol (BOOTP), was invented
to allow a host to obtain multiple parameters with a single request.
– Currently, DHCP is used to take care of most of the configuration.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
3
Cisco IOS
Wikipedia 6. mars 2010
“Cisco IOS (originally Internetwork Operating System) is the
software used on the vast majority of Cisco Systems routers and
current Cisco network switches. (Earlier switches ran CatOS). IOS is
a package of routing, switching, internetworking and
telecommunications functions tightly integrated with a multitasking
operating system. The first IOS was written by William Yeager.
Cisco IOS has a characteristic command line interface (CLI), whose
style has been widely copied by other networking products.”
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
4
23.11 Dynamic Host Configuration
Protocol (DHCP)
• BOOTP required manual administration.
• DHCP allows a computer to join a new network and obtain
an IP address automatically.
– the concept has been termed plug-and-play networking
“DHCP allows a computer to move to a new network and
obtain configuration information without requiring an
administrator to make manual changes to a database.”
Douglas E. Comer
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
5
23.11 Dynamic Host Configuration
Protocol (DHCP)
• When a computer boots
– the client computer broadcasts a DHCP Request
– the server sends a DHCP Reply
• DHCP uses the term offer to denote the message a server sends
• and we say that the server is offering an address to the client
• We can configure a DHCP server to supply two types of
addresses:
– permanently assigned addresses as provided by BOOTP or
– a pool of dynamic addresses to be allocated on demand
• Typically, a permanent address is assigned to a server, and
a dynamic address is assigned to an arbitrary host.
• Addresses assigned on demand are not given out for an
arbitrary length of time.
A network administrator specifies the lease time for a dynamic IP address.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
6
Cisco IOS DHCP Server
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363
“Dynamic Host Control Protocol (DHCP) enables you to automatically
assign reusable IP addresses to DHCP clients. The Cisco IOS DHCP Server
feature is a full DHCP server implementation that assigns and manages
IP addresses from specified address pools within the router to DHCP
clients. If the Cisco IOS DHCP Server cannot satisfy a DHCP request from
its own database, it can forward the request to one or more secondary
DHCP servers defined by the network administrator.
Figure 1 shows the basic steps that occur when a DHCP client requests
an IP address from a DHCP server. The client, Host A, sends a
DHCPDISCOVER broadcast message to locate a Cisco IOS DHCP Server. A
DHCP server offers configuration parameters (such as an IP address, a
MAC address, a domain name, and a lease for the IP address) to the
client in a DHCPOFFER unicast message.”
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
7
Cisco IOS DHCP Server
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363
Figure 1 DHCP Request for an IP Address from a DHCP Server
The DHCPREQUEST is broadcast so that all DHCP servers know which offer the client
has accepted. ( A client can receive DHCP offers from multiple DHCP servers.)
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
8
acknowledgement/staðfesting
Cisco IOS DHCP Server
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363
“A DHCP client may receive offers from multiple DHCP servers and
can accept any one of the offers; however, the client usually
accepts the first offer it receives. Additionally, the offer from the
DHCP server is not a guarantee that the IP address will be allocated
to the client; however, the server usually reserves the address until
the client has had a chance to formally request the address.”
“The client returns a formal request for the offered IP address to
the DHCP server in a DHCPREQUEST broadcast message. The DHCP
server confirms that the IP address has been allocated to the client
by returning a DHCPACK unicast message to the client.”
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
9
Cisco IOS DHCP Server
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363
“The formal request for the offered IP address (the DHCPREQUEST message)
that is sent by the client is broadcast so that all other DHCP servers that
received the DHCPDISCOVER broadcast message from the client can reclaim
the IP addresses that they offered to the client.”
“If the configuration parameters sent to the client in the DHCPOFFER unicast
message by the DHCP server are invalid (a misconfiguration error exists), the
client returns a DHCPDECLINE broadcast message to the DHCP server.”
“The DHCP server will send to the client a DHCPNAK denial broadcast message,
which means the offered configuration parameters have not been assigned, if
an error has occurred during the negotiation of the parameters or the client
has been slow in responding to the DHCPOFFER message (the DHCP server
assigned the parameters to another client) of the DHCP server.”
A NAK is a negative acknowledgment from DHCP.
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
10
23.11 Dynamic Host Configuration
Protocol (DHCP)
• DHCP issues a lease on the address for a finite period.
• The use of leases allows a DHCP server to reclaim
addresses. When the lease expires the DHCP server places
the address back in the pool of available addresses.
• When a lease expires, a host can choose to relinquish the
address or renegotiate with DHCP to extend the lease.
– Negotiation occurs concurrently with other activity.
• Normally, DHCP approves each lease extension.
– However, a server may be configured to deny lease extension for
administrative or technical reasons.
• For example, if leases were not claimed back each time a student laboratory
finishes,after several consecutive laboratories, addresses might run out.
• DHCP grants absolute control of leasing to a server. If a
server denies an extension request, the host must stop
using the address.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
11
End-users whose computers coordinate with a DHCP server
to obtain an IP address normally do not need to worry about
their IP address expiring.
Note that a client can ask a DHCP server to allocate the
previously allocated IP address.
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
12
23.12 DHCP Protocol Operation and
Optimizations
• DHCP includes several optimizing features:
• DHCP is designed to insure that missing or duplicate
packets do not result in misconfiguration.
– If no response is received a host retransmits its request.
– If a duplicate response arrives, a host ignores the extra copy.
• Once a host finds a DHCP server, the host caches the
server's address, making the process of lease renewal
efficient.
• DCHP takes steps to prevent synchronized requests by
requiring each host to delay a random amount of time
before transmitting a request.
– Otherwise synchronized requests could occur if all the computers on
a network rebooted at the same time after a power failure.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
13
23.13 DHCP Message Format
• DHCP is a modified version of the BOOTP message format.
• Figure 23.8 illustrates the DHCP message format
– OP specifies whether the message is a Request (“1”) or a Response (“2”)
– HTYPE and HLEN fields specify the network hardware type and the length
of a hardware address
• HYTPE = “1” for 10Mb Ethernet and HLEN = “6” for 10 Mb Ethernet
– HOPS specifies how many servers forwarded the request
– TRANSACTION IDENTIFIER provides a value that a client can use to
determine if an incoming response matches its request
– SECONDS ELAPSED specifies how many seconds have elapsed since the
host began to boot
– FLAGS specifies whether it can receive broadcast or directed replies
• Except for OPTIONS (OP), each field in a DHCP
message has a fixed size.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
14
23.13 DHCP Message Format
Figure 23.8 The DHCP message format
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
15
23.13 DHCP Message Format
• Later fields in the message are used in a response to carry
information back to the host that sent a request.
– If a host does not know its IP address, the server uses field YOUR IP
ADDRESS to supply the value.
– SERVER IP ADDRESS and SERVER HOST NAME give the host
information about the location of a server.
– ROUTER IP ADDRESS contains the IP address of a default router.
• DHCP allows a computer to negotiate to find a boot image.
– To do so, the host fills in field BOOT FILE NAME with a request.
– The DHCP server does not send an image. BOOT FILE NAME is
used to return the name of the file. A host will use a separate
protocol to download the image (.eg. TFTP).
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
16
23.14 Indirect DHCP Server Access
Through a Relay
• DHCP broadcasts on the local network to find a server.
• DHCP does not require each individual network to have a
DHCP server.
– Instead, a DHCP relay agent forwards requests and responses
between a client and the DHCP server.
• At least one relay agent must be present on each network
and the relay agent must be configured with the address of
the appropriate DHCP server.
• When the DHCP server responds the relay agent forwards
the response to the client.
• It may seem that using multiple relay agents is no better
than using multiple DHCP servers.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
17
23.14 Indirect DHCP Server Access
Through a Relay
• Network managers prefer to manage multiple relay agents
for two reasons:
• First, in a network with one DHCP server and multiple relay
agents, administration of addresses is centralized into a
single device.
– Thus, a network manager does not need to interact with multiple
devices to change the lease policy or determine the current status.
• Second, many commercial routers contain a mechanism
that provides DHCP relay service on all the networks to
which the router attaches.
• Relay agent facilities in a router are usually easy to
configure and the configuration is unlikely to change.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
18
23.15 Network Address Translation (NAT)
• The Internet expanded and addresses became scarce, so
subnet and classless addressing (CIDR) were introduced to
help conserve addresses.
• Another mechanism was invented that allows multiple
computers at a site to share a single, globally valid IP
address, known as Network Address Translation (NAT).
• NAT provides transparent communication.
– A host in the Internet always appears to receive communication from
a single computer rather than from one of many computers at the site.
• NAT runs as an in-line service .
– It must be placed on the connection between the Internet and the site.
• Most implementations embed NAT in another device such as
a Wi-Fi wireless access point or an Internet router.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
19
23.15 Network Address Translation (NAT)
Figure 23.9 The conceptual architecture used with NAT.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
20
NAT
http://foldoc.org/nat
Network Address Translation
A technique in which a router or firewall rewrites the source and/or
destination Internet addresses in a packet as it passes through,
typically to allow multiple hosts to connect to the Internet via a
single external IP address. NAT keeps track of outbound connections
and distributes incoming packets to the correct machine.
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
21
23.16 NAT Operation and Private
Addresses
• The goal of NAT is to provide an illusion.
• When viewed from the Internet:
– the site appears to consist of a single host computer that has been
assigned a valid IP address
– all datagrams sent from the site appear to originate from one host
– and all datagrams sent to the site appear to be sent to one host
• When viewed from a host in the site the Internet appears to
accept and route private addresses.
• A single IP address cannot be assigned to multiple
computers.
– If two or more computers use the same address conflicts arise
because multiple computers will respond to an ARP “who has this IP
address” request.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
22
23.16 NAT Operation and Private Addresses
• NAT solves the problem by using two types of addresses.
– The NAT device itself is assigned a single globally-valid IP address
as if the NAT device were a host on the Internet.
– Each computer at the site is assigned a unique private address, also
known as a nonroutable address.
• Figure 23.10 (below) lists address blocks that the IETF has
designated as private.
– /x means x is the number of bits in the routing prefix
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
23
http://tools.ietf.org/html/rfc1918
24
23.16 NAT Operation and Private
Addresses
• Private addressing is only used inside a site.
• Before a datagram from the site can be allowed onto the
Internet, NAT must translate the private IP into a globally
valid IP address.
• NAT must translate the globally valid IP address in an
incoming packet to a private address before transferring a
datagram to a host at the site.
• The basic NAT provides a two-way translation.
– the source address translation
• as a datagram passes from the site to the Internet and
– the destination address translation
• as a datagram passes from the Internet to the site
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
25
23.16 NAT Operation and Private Addresses
Figure 23.11 Illustration of basic NAT translation that
changes the source address of an outgoing datagram and
the destination address of an incoming datagram.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
26
23.16 NAT Operation and Private Addresses
• Most implementations of NAT use a translation table to
store the information needed to rewrite addresses.
– When a packet is being set out, NAT automatically updates the
translation table.
• Figure 23.12 (below) shows a translation table that
corresponds to the address mapping in Figure 23.11.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
27
23.17 Transport-Layer NAT (NAPT)
• Basic NAT handles situations in which each host at a site
communicates with a unique server in the Internet.
• However, if two hosts at the site attempt to communicate
with the same remote server X,
– the translation table will contain multiple entries for X
– and NAT will not be able to route incoming datagrams
• Basic NAT also fails when two or more applications running
on a given host at a site attempt simultaneous
communication with different destinations on the Internet.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
28
23.17 Transport-Layer NAT (NAPT)
• A variation of NAT, called Network Address and Port
Translation (NAPT) avoids such problems.
– NAPT allows a site to have arbitrary numbers of applications running
on arbitrary hosts, all communicating simultaneously with arbitrary
destinations throughout the Internet.
– Note that most networking professionals assume the term NAT
means NAPT.
• In addition to a table of source and destination addresses,
NAPT uses port numbers to associate each datagram with a
TCP or UDP flow.
– Applications use protocol port numbers to distinguish between
services.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
29
http://www.fatpipe.org/~mjb/Drawings/
30
port numbers
• Transport Layer protocols such as TCP and UDP specify a
source and destination port number in their packet headers.
– Port numbers are an abstract set of numbers independent of an
operating system. Operating systems use process identifiers, job
names, or task identifiers to refer to processes.
• A port number is a 16-bit unsigned integer (0 to 65535).
• A process associates with a particular port to send and
receive data.
– The process will listen for incoming packets whose destination
port number and IP destination address match that port.
– The process will send out packets whose source port number is
set to that port.
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
31
Packet delivered to an abstract
port number is delivered to
the correct process.
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
32
http://skogberg.eu/ia/img/protocolStack.png
Two important protocols in the
transport layer are TCP and UDP.
33
23.17 Transport-Layer NAT (NAPT)
• Instead of stopping at the IP-layer, NAPT operates on
transport-layer headers.
• NAPT entries contain a 4-tuple of source and destination IP
addresses and protocol port numbers.
• To avoid a conflict when the same port number is used to
connect to the same web server, NAPT must choose an
alternative TCP source port.
– Figure 23.13 (below) shows one possibility.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
34
23.18 NAT and Servers
• A NAT system builds a translation table automatically by
watching outgoing traffic and establishing a new mapping
whenever an application at the site initiates communication.
• Automatic table construction does not work well for
communication initiated from the Internet to the site.
– For example, if multiple computers at a site each run a web server,
the NAT device cannot know which computer should receive an
incoming web connection.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
35
23.18 NAT and Servers
• A variant of NAT called Twice NAT has been created to
allow a site to run multiple servers.
– “When an application on the Internet looks up the domain name of a
computer at the site, the DNS server at the site returns the valid IP
address that has been assigned to the NAT device, and also creates
a new entry in the NAT translation table.”
• The translation table is initialized before the first packet arrives.
• Twice NAT can fail e.g.
– when a client application uses the IP address directly without doing a
domain name lookup
– when the client uses a DNS proxy to resolve domain names
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
36
proxy server
http://en.wikipedia.org/wiki/Proxy_server 7.3.2010
In computer networks, a proxy server is a server (a computer system
or an application program) that acts as an intermediary for requests
from clients seeking resources from other servers. A client connects to
the proxy server, requesting some service, such as a file, connection,
web page, or other resource, available from a different server. The
proxy server evaluates the request according to its filtering rules. For
example, it may filter traffic by IP address or protocol. If the request is
validated by the filter, the proxy provides the resource by connecting
to the relevant server and requesting the service on behalf of the
client. A proxy server may optionally alter the client's request or the
server's response, and sometimes it may serve the request without
contacting the specified server. In this case, it 'caches' responses from
the remote server, and returns subsequent requests for the same
content directly.
37
proxy server
http://en.wikipedia.org/wiki/Proxy_server 7.3.2010
A proxy server has many potential purposes, including:
• to keep machines behind it anonymous (mainly for security)
• to speed up access to resources (using caching)
– web proxies are commonly used to cache web pages from a web server
• to apply access policy to network services or content
– e.g. to block undesired sites
• to log usage i.e. to provide company employee Internet usage reporting
8/25/2009
NET0183 Networks and Communications
by Dr Andy Brooks
38
23.19 NAT Software and Systems for Use at Home
• NAT is especially useful at a residence or small business
that has a broadband connection
– A set of computers can share the connection without requiring the
customer to purchase additional IP addresses.
• NAT software can make a PC act as a NAT device.
• NAT hardware systems are available at low cost.
– Such systems are usually called wireless routers.
– The terminology is slightly misleading because such routers also
provide wired connections.
• Figure 23.14 illustrates how such a router is connected.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
39
23.19 NAT Software and Systems for Use at Home
Figure 23.14 Illustration of the connections for a “wireless” router.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.
40