Transcript private network

Private Network Interconnection
VPN - Virtual Private Networks
 NAT - Network Address Translation
 Describe a 2-level internet architecture

 Private
internet connected by public
internet/Internet
© MMII JW Ryder
CS 428 Computer Networking
1
Private/Hybrid Networks
Major drawback to single level architecture ->
lack of privacy
 2 levels distinguish between internal and
external datagrams
 Goal is to keep internal datagrams private
while still allowing external communications

© MMII JW Ryder
CS 428 Computer Networking
2
Private Networks
Easiest way to guarantee privacy is completely
private network aka private network
 Use routers to interconnect networks at each
site and leased digital circuits to interconnect
sites
 Since no outside access can use own IP
addressing scheme

© MMII JW Ryder
CS 428 Computer Networking
3
Hybrid Networks
Gives advantages of both private and and
global Internet connectivity
 Must use globally valid IP addresses
 Connect each site to the Internet
 See hybrid architecture in figure 20.1 on page
390

© MMII JW Ryder
CS 428 Computer Networking
4
VPN

Chief disadvantage of both private and hybrid
networks is high cost
 leased
lines (T1+) are expensive
Can lower cost by using alternative
technologies (frame relay, ATM) or simply
connect to the global Internet
 Connecting to global Internet could remove
privacy

© MMII JW Ryder
CS 428 Computer Networking
5
VPN


Big Question - How to keep the privacy but keep
Internet connectivity?
Two techniques make VPN possible
Tunneling
 Encryption



Define a tunnel across the Internet between a
router on one side and a router on the other
Use IP-in-IP encapsulation in tunnel
© MMII JW Ryder
CS 428 Computer Networking
6
VPN
See tunnel figure 20.2 on page 391
 Entire inner datagram including the IP
header is encrypted before being placed as
the data in the outer datagram
 Describe flow
 “A VPN sends data across the Internet, but
encrypts intersite transmissions to guarantee
privacy” page 392

© MMII JW Ryder
CS 428 Computer Networking
7
VPN Addressing
Offers an organization same addressing as
private network if hosts do not need Internet
connectivity
 If hosts need Internet connectivity then
hybrid approach can be used
 In either case the routers that interface with
the Internet always need valid IP addresses
 See figure 20.4 on page 393

© MMII JW Ryder
CS 428 Computer Networking
8
VPN Addressing
How can a host provide access to the global
Internet without assigning each host a valid IP
address?
 2 general methods

 Application
Gateways
 Network Address Translation
© MMII JW Ryder
CS 428 Computer Networking
9
Application Gateways
Offers hosts access to Internet services without
offering IP level access
 Each site has a multi-homed host with a
connection to both the Internet and the private
network
 MHH runs a set of programs called
Application Gateways

© MMII JW Ryder
CS 428 Computer Networking
10
Application Gateways
Each AG handles 1 service
 Hosts send datagrams to AG on MHH
 MHH accesses the service on the Internet
 MHH relays responses back to host on private
network
 Example: E-mail gateway

© MMII JW Ryder
CS 428 Computer Networking
11
Application Gateways
Advantage - ability to work without changing
underlying structure of private network
 Disadvantage - lack of generality

 “Each
application gateway handles only one
specific service; multiple gateways are required
for multiple services.”

AGs do NOT solve problem in a general way
© MMII JW Ryder
CS 428 Computer Networking
12
NAT
Requires a site to have a single connection
to the Internet and one valid IP address G
 G assigned to a MHH connected to the
Internet that runs NAT software
 A computer running NAT software is known
as a NAT Box
 All datagrams flow through NAT box

© MMII JW Ryder
CS 428 Computer Networking
13
NAT
NAT translates both outgoing and incoming
addresses
 Outgoing

 Replace

source address with G
Incoming
 Replace
destination address with private address of
host
© MMII JW Ryder
CS 428 Computer Networking
14
NAT
External view - All datagrams come from and
go to the NAT box
 Internal view - NAT box appears as a router to
the Internet
 Chief advantage - Combination of generality
and transparency

© MMII JW Ryder
CS 428 Computer Networking
15
NAT
More general than AGs - Allows arbitrary
internal host to access arbitrary service on a
host on the Internet
 Transparency - Allows internal host to send and
receive datagrams using a private IP address
 “NAT technology provides transparent IP-level
access to the Internet from a host with a private
address.”

© MMII JW Ryder
CS 428 Computer Networking
16
NAT Translation

Each entry specifies 2 items
 IP address
of host on Internet
 IP address of host on private network
Example incoming/outgoing
 Table must be in place before datagram arrives
in from Internet

 Why?
© MMII JW Ryder
CS 428 Computer Networking
17
NAT Translation

How/When is table initialized
 Manual
- network administrator
 Outgoing Datagrams - sie effect of sending
datagrams
 Incoming DNS lookup - side effect of DNS lookup
 When
host on Internet does a DNS lookup of internal
host, DNS software creates entry in translation table
then answers request by sending G
© MMII JW Ryder
CS 428 Computer Networking
18
NAT Translation



Manual
 Advantage - IP datagrams in either direction any time
Outgoing
 Advantage - Automatic
 Disadvantage – Comm. can’t be initialized by outside
Incoming DNS lookups
 Requires modifying DNS software
 Accommodates initiating communication from outside
 Only works if DNS used
© MMII JW Ryder
CS 428 Computer Networking
19
NAT
Mot implementations use outgoing method
 Example on figure 20.5 on page 396
 NAT permits ISP to assign private addresses

© MMII JW Ryder
CS 428 Computer Networking
20
Multi-Address NAT

NAT described so far allows a single host on
private network to access a single Internet site
 What
if 2 local hosts want to access single Internet
host?

External Address Concurrency
© MMII JW Ryder
CS 428 Computer Networking
21
Multi-Address NAT
 Assign
NAT box multiple Gs
 Multiple accesses of same Internet host maps
different Gs
 Still finite number of concurrent accesses
© MMII JW Ryder
CS 428 Computer Networking
22
Port-Mapped NAT
Translate TCP or UDP protocol port numbers
too
 Sometimes known as Network Address Port
Translation (NAPT)
 Additional table fields

 Pair
of source/destination protocol port numbers
 Protocol port number used by NAT box
© MMII JW Ryder
CS 428 Computer Networking
23
Port-Mapped NAT
See figure 20.6 on page 397
 10.0.0.5 and 10.0.0.1 have unique source port
numbers but this is NOT guaranteed

 Maybe
they choose same number - application can
select it

To avoid - NAT assigns unique port number to
each Internet communication
© MMII JW Ryder
CS 428 Computer Networking
24
Port-Mapped NAT
TCP 4-tuple to represent IP address and port
number
 Before sending

 (10.0.0.5,21023,128.10.19.20,80)
 (10.0.0.1,386,128.10.19.20,80)

After NAPT translation
 (G,14003,128.10.19.20,80)
 (G,14010,128.10.19.20,80)
© MMII JW Ryder
CS 428 Computer Networking
25
Port-Mapped NAT
Advantage - Generality with single valid IP
address
 Disadvantage - Restricts use to TCP or UDP
 “Several variants of NAT exist, including the
popular NAPT form that translates protocol
port numbers as well as IP addresses.”

© MMII JW Ryder
CS 428 Computer Networking
26
NAT and ICMP




“Straight-forward” changes to IP addresses can cause
unexpected problems in higher layer protocols
NAT doesn’t forward all ICMP messages arriving
from Internet
Example - If routes in NAT box are incorrect, an
ICMP redirect message must be handled locally not
sent internally to some other host
Before forwarding to internal host NAT translates
ICMP message
© MMII JW Ryder
CS 428 Computer Networking
27
NAT and ICMP
So, NAT must decide whether ICMP
message to be forwarded in or handled
locally
 ICMP destination unreachable message
 IP header returned containing source
address but G is in it not internal source

© MMII JW Ryder
CS 428 Computer Networking
28
NAT and ICMP

NAT box must first translate address and place
it into the ICMP message
 ICMP Checksum
in now incorrect and one in
datagram outer header!!!!
 This must now be recomputed
© MMII JW Ryder
CS 428 Computer Networking
29
NAT and Applications
Pure NAPT doesn’t work with applications
that send IP addresses and port numbers as
data
 FTP - TCP application
 One program obtains port number on local
machine, converts it to ASCII and sends it to
other host to create TCP connection

© MMII JW Ryder
CS 428 Computer Networking
30
NAT and Applications
NAPT would need to inspect all data and
translate as needed for every application
protocol as it is designed!
 NAT supports main application protocol such
as FTP and Telnet but not all

 Certainly
© MMII JW Ryder
not out home grown applications
CS 428 Computer Networking
31
Summary
VPNs guarantee privacy but are expensive
 2 main technologies used to implement VPN

 Application
Gateways
 NAT
© MMII JW Ryder
CS 428 Computer Networking
32