CHAPTER 1 IP VESRSIONS

1.1 INTRODUCTION The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite (often called TCP/IP, although not all applications use TCP) to serve billions of users worldwide.

It is a network of networks that consists of millions of private, public, academic, business, and government networks, of local to global scope, that are linked by a broad array of electronic, wireless and optical networking technologies.

The Internet carries an extensive range of information resources and services, such as the inter-linked hypertext documents of the World Wide Web (WWW) and the infrastructure to support email. The Internet allows greater flexibility in working hours and location, especially with the spread of unmetered high-speed connections.

The Internet can be accessed almost anywhere by numerous means, including through mobile Internet devices. Mobile phones, data cards, handheld game consoles and cellular routers allow users to connect to the Internet wirelessly.

Within the limitations imposed by small screens and other limited facilities of such pocket-sized devices, the services of the Internet, including email and the web, may be available. Educational material at all levels from pre-school to post-doctoral is available from websites.

Email is an important communications service available on the Internet. The concept of sending electronic text messages between parties in a way analogous to mailing letters or memos predates the creation of the Internet. Pictures, documents and other files are sent as email attachments

Internet telephony is another common communications service made possible by the creation of the Internet. VoIP stands for Voice-over-Internet Protocol, referring to the protocol that underlies all Internet communication. The idea began in the early 1990s with walkie-talkielike voice applications for personal computers. File sharing is an example of transferring large amounts of data across the Internet.

The communications infrastructure of the Internet consists of its hardware components and a system of software layers that control various aspects of the architecture. While the hardware can often be used to support other software systems, it is the design and the rigorous standardization process of the software architecture that characterizes the Internet and provides the foundation for its scalability and success.

The Internet standards describe a framework known as the Internet protocol suite. This is a model architecture that divides methods into a layered system of protocols (RFC 1122, RFC 1123). The layers correspond to the environment or scope in which their services operate.

At the top is the application layer, the space for the application-specific networking methods used in software applications, e.g., a web browser program. Below this top layer, the transport layer connects applications on different hosts via the network (e.g., clientserver model) with appropriate data exchange methods. Underlying these layers are the core networking technologies, consisting of two layers.

The internet layer enables computers to identify and locate each other via Internet Protocol (IP) addresses, and allows them to connect to one-another via intermediate (transit) networks. Last, at the bottom of the architecture, is a software layer, the link layer, that provides connectivity between hosts on the same local network link, such as a local area network (LAN) or a dial-up connection. The model is also known as TCP/IP.

Other models have been developed, such as the Open Systems Interconnection (OSI) model, but they are not compatible in the details of description or implementation; many similarities exist and the TCP/IP protocols are usually included in the discussion of OSI networking.

The most prominent component of the Internet model is the Internet Protocol (IP), which provides addressing systems (IP addresses) for computers on the Internet. IP enables internetworking and in essence establishes the Internet itself.

1.2 IP ADDRESS

An Internet Protocol address (IP address) is a numerical label assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication.

An IP address serves two principal functions: host or network interface identification and location addressing. Its role has been characterized as follows: "A name indicates what we seek. An address indicates where it is. A route indicates how to get there.

The designers of the Internet Protocol defined an IP address as a 32-bit number and this system, known as Internet Protocol Version 4 (IPv4), is still in use today. However, due to the enormous growth of the Internet and the predicted depletion of available addresses, a new addressing system (IPv6), using 128 bits for the address, was developed in 1995 and its deployment has been ongoing since the mid-2000s.

IP addresses are binary numbers, but they are usually stored in text files and displayed in human-readable notations, such as 172.16.254.1 (for IPv4), and 2001:db8:0:1234:0:567:8:1 (for IPv6).

The Internet Assigned Numbers Authority (IANA) manages the IP address space allocations globally and delegates five regional Internet registries (RIRs) to allocate IP address blocks to local Internet registries (Internet service providers) and other entities.

1.3 IP VERSIONS

Two versions of the Internet Protocol (IP) are in use: 1) IP Version 4 2) IP Version 6

IPv4 Internet Protocol version 4

is the fourth revision in the development of the Internet

Protocol (IP) and the first version of the protocol to be widely deployed. IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model. In that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP).

IPv5, also called the Internet Stream Protocol, was developed in the 1980s as an experiment. It was created to transmit audio, video, and simulations over the Internet. While it did gain some popularity with large corporations it was never used as an official protocol. In its original form, IPv5 was never widely distributed. It was, however, adapted and developed into whats now known as ST2.

IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by the Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4, which is the dominant communications protocol for most Internet traffic as of 2012.

1.4 IP Version 4
IPv4 is a connectionless protocol for use on packet-switched Link Layer networks (e.g., Ethernet). It operates on a best effort delivery model. In that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP).

1.4.1IPV4 HEADER FORMAT An IP datagram consists of header part and text part. The header has a 20 byte fixed part and variable length optional part. It is transmitted in big endian order from left to right, with high order bit of the version field going first. Version IHL Type of service Total length D M Fragement offset F Time to live Protocol F

Identification

Header checksum Source address Destination address Options (0 or more words)

VERSION FIELD keeps track of which version of the protocol the datagram belongs to. By including the version each datagram, it becomes possible to have the transition between versions take years, which some machines running the old version and other running the new one. Currently a transition between IPV4 and IPV6 is going on. Since the header length is not constant a field in the header, IHL, is provided to tell how long the header is, in 32 bit words. The minimum value is 5, which applies when no options are

present. The maximum value of this 4 bit field is 15, which limits the header to 60 bytes, and thus the options field to 40 bytes. Type of service field is one of the few fields that has changed its meaning over the years. It was and is still intended to distinguish between different classes of service. Various combinations of reliability and speeds are possible. Originally, the 6 -bit field contained (from left to right), a three-bit precedence field and 3 flags D, T, and R. Precedence field was a priority, from 0(normal) to 7(network control packet).The 3 flag bits allowed the host to specify what it cared most about from the set(Delay

Throughtput,Reliability) Total length includes everything in the datagram-both header and data. The maximum length is 65,535 bytes. Identification field is needed to allow the destination host to determine which datagram a newly arrived fragment belongs to. All the fragments of a datagram contain the same identification value. Next comes an unused bit and then two 1-bit fields. DF (dont fragment) is an order to the router not to fragment the datagram because the destination is incapable of putting the pieces back together again. MF (more fragment) all fragments except the last one have this bit set. It is needed to know when all fragments of a datagram have arrived. The fragment offset tells where in the current datagram this fragments belongs. All fragments except the last one in a datagram must be a multiple of 8 bytes, the elementary fragment unit. Since 13 bits are provided, there is a maximum of 8192 fragments per datagram, giving a maximum datagram length of 65,536 bytes, one more than the total length field. Time to live field is a counter used to limit packet life times. It is supposed to count time in seconds allowing a maximum life time of 255 seconds. It must be decremented on each hope and is supposed to be decremented multiple times when queued for a long time in a router. When it hits zero the packet is discarded and a warning packet is sent back to the source host.

This feature prevents datagrams from wandering around forever, something that otherwise might happen if the routing tables ever become corrupted. Protocol field tells it which transport process to give it to.TCP is one possibility, but so are UDP and some others. The numbering of protocols is global across the entire Internet. Header checksum verifies the header only. Such a checksum is useful for detecting errors generated by bad memory words inside a router. The algorithm is to add up all the 16-bit halfwords as they arrive, using ones complement arithmetic and then the ones complement of the result. For purposes of this algorithm, the header checksum is assumed to be zero

upon arrival. This algorithm is more robust than using a normal add. Source and Destination indicate the network number and host number. Options field was designed to provide an escape to allow subsequent versions of the protocol to include information not present in the original design, to permit experimenters to try out new ideas, and to avoid allocated header bits to information that is rarely needed. The options are variable length. Each begins with a one byte code identifying the option. The options field is padded out to a multiple of 4 bytes.

1.4.2 IPV4 ADDRESSES

Decomposition of an IPv4 address from dot-decimal notation to its binary value. In IPv4 an address consists of 32 bits which limits the address space to 4294967296 (232) possible unique addresses. IPv4 reserves some addresses for special purposes such as private networks (~18 million addresses) or multicast addresses (~270 million addresses).

IPv4 addresses are canonically represented in dot-decimal notation, which consists of four decimal numbers, each ranging from 0 to 255, separated by dots, e.g., 172.16.254.1. Each part represents a group of 8 bits (octet) of the address. In some cases of technical writing, IPv4 addresses may be presented in various hexadecimal, octal, or binary representations.

1.4.3IPV4 SUBNETTING

Classful network design allowed for a larger number of individual network assignments and fine-grained sub network design. The first three In the early stages of development of the Internet Protocol, network administrators interpreted an IP address in two parts: network number portion and host number portion. The highest order octet (most significant eight bits) in an address was designated as the network number and the remaining bits were called the rest field or host identifier and were used for host numbering within a network.

This early method soon proved inadequate as additional networks developed that were independent of the existing networks already designated by a network number. In 1981, the Internet addressing specification was revised with the introduction of classful network architecture.

Classful network design allowed for a larger number of individual network assignments and fine-grained sub network design. The first three bits of the most significant octet of an IP address were defined as the class of the address. Three classes (A, B, and C) were defined for universal unicast addressing.

Depending on the class derived, the network identification was based on octet boundary segments of the entire address. Each class used successively additional octets in the network identifier, thus reducing the possible number of hosts in the higher order classes (B and C).

1.5 ADDRESS CLASSES The Internet community originally defined five address classes to accommodate networks of varying sizes. Microsoft TCP/IP supports class A, B, and C addresses assigned to hosts. The class of address defines which bits are used for the network ID and which bits are used for the host ID. It also defines the possible number of networks and the number of hosts per network.

Class A
Class A addresses are assigned to networks with a very large number of hosts. The highorder bit in a class A address is always set to zero. The next seven bits (completing the first octet) complete the network ID. The remaining 24 bits (the last three octets) represent the host ID. This allows for 126 networks and 16,777,214 hosts per network. Figure 1.4 illustrates the structure of class A addresses.

Class B
Class B addresses are assigned to medium-sized to large-sized networks. The two highorder bits in a class B address are always set to binary 1 0. The next 14 bits (completing the first two octets) complete the network ID. The remaining 16 bits (last two octets) represent the host ID. This allows for 16,384 networks and 65,534 hosts per network. Figure 1.5 illustrates the structure of class B addresses.

Class C
Class C addresses are used for small networks. The three high-order bits in a class C address are always set to binary 1 1 0. The next 21 bits (completing the first three octets)

complete the network ID. The remaining 8 bits (last octet) represent the host ID. This allows for 2,097,152 networks and 254 hosts per network. Figure 1.6 illustrates the structure of class C addresses.

Class D
Class D addresses are reserved for IP multicast addresses. The four high-order bits in a class D address are always set to binary 1 1 1 0. The remaining bits are for the address that interested hosts recognize. Microsoft supports class D addresses for applications to multicast data to multicast-capable hosts on an internetwork.

Class E
Class E is an experimental address that is reserved for future use. The high-order bits in a class E address are set to 1111.

Table 1.5.1 IP Address Class Summary Class A B C Value for w1 1126 128191 192223 Network ID Portion w w.x w.x.y Host ID Portion x.y.z y.z z Available Networks 126 16,384 2,097,152 Hosts per Network 16,777,214 65,534 254

10

1.6 IPV4 PRIVATE ADDRESSES

Early network design, when global end-to-end connectivity was envisioned for communications with all Internet hosts, intended that IP addresses be uniquely assigned to a particular computer or device. However, it was found that this was not always necessary as private networks developed and public address space needed to be conserved.

Computers not connected to the Internet, such as factory machines that communicate only with each other via TCP/IP, need not have globally unique IP addresses.Today, when needed, such private networks typically connect to the Internet through network address translation (NAT). IANA-reserved private IPv4 network ranges

Start 24-bit block (/8 prefix, 1 A) 10.0.0.0

End 10.255.255.255

No. of addresses 16777216 1048576 65536

20-bit block (/12 prefix, 16 B) 172.16.0.0 172.31.255.255 16-bit block (/16 prefix, 256 C) 192.168.0.0 192.168.255.255

Any user may use any of the reserved blocks. Typically, a network administrator will divide a block into subnets; for example, many home routers automatically use a default address range of 192.168.0.0 through 192.168.0.255 (192.168.0.0/24).

1.7 IPV4 ADDRESS EXHAUSTION

IPv4 address exhaustion is the decreasing supply of unallocated Internet Protocol Version 4 (IPv4) addresses available at the Internet Assigned Numbers Authority (IANA) and the regional Internet registries (RIRs) for assignment to end users and local Internet registries, such as Internet service providers

11

1.8. Subnet Masking

Subnet masking, or subnetting, is used to break one large group into several smaller subnetworks.

Figure 2-3 IP Address Structure After Subnetting

These subnets can then be distributed throughout an enterprise. This results in less IP address waste and better logical organization. Formalized with RFC 950 in 1985, subnetting introduced a third level of hierarchy to the IPv4 addressing structure. The number of bits available to the network, subnet, and host portions of a given address varies depending on the size of the subnet mask. A subnet mask is a 32-bit number that acts as a counterpart to the IP address. Each bit in the mask corresponds to its counterpart bit in the IP address. Logical ANDing is applied to the address and mask. If a bit in the IP address corresponds to a 1 bit in the subnet mask, the IP address bit represents a network number. If a bit in the IP address corresponds to a 0 bit in the subnet mask, the IP address bit represents a host number.

When the subnet mask is known, it overrides the address class to determine whether a bit either a network or a host is. This allows routers to recognize addresses differently than the format dictated by class. The mask can be used to tell hosts that although their addresses are Class B, the first three octets, instead of the first two, are the network number. In this case, the additional octet acts like part of the network number, but only inside the organization where the mask is configured.

The subnet mask applied to an address ultimately determines the network and host portions of an IP address. The network and host portions change when the subnet mask changes. If a 16-bit mask, 255.255.0.0, is applied to an IP address, only the first 16 bits, or

12

two octets, of the IP address 172.24.100.45 represent the network number. Therefore, the network number for this host address is 172.24.0.0.

Because the rules of class dictate that the first two octets of a Class B address are the network number, this 16-bit mask does not create subnets within the 172.24.0.0 network. To create subnets with this Class B address, a mask must be used that identifies bits in the third or fourth octet as part of the network number.

If a 24-bit mask such as 255.255.255.0 is applied, the first 24 bits of the IP address are specified as the network number. The network number for the host in this example is 172.24.100.0. The gray portion of the address shown in Figure 2-5 indicates this. Routers and hosts configured with this mask see all 8 bits in the third octet as part of the network number. These 8 bits are considered to be the subnet field because they represent network bits beyond the two octets prescribed by classful addressing.

Inside this network, devices configured with a 24-bit mask use the 8 bits of the third octet to determine to what subnet a host belongs. Because 8 bits remain in the host field, 254 hosts may populate each network. Just as hosts must have identical network addresses, they also must match subnet fields to communicate with each other directly. Otherwise, the services of a router must be used so that a host on one network or subnet can talk to a host on another.

13

A Class B network with an 8-bit subnet field creates 28, or 256, potential subnets, each one equivalent to one Class C network. Because 8 bits remain in the host field, 254 hosts may populate each network. Two host addresses are reserved as the network number and broadcast address, respectively. By dividing a Class B network into smaller logical groups, the internetwork can be made more manageable, more efficient, and more scalable.

Notice that subnet masks are not sent as part of an IP packet header. This means that routers outside this network will not know what subnet mask is configured inside the network. An outside router, therefore, treats 172.24.100.45 as just one of 65,000 hosts that belong to the 172.24.0.0 network. In effect, subnetting classful IP addresses provides a logical structure that is hidden from the outside world.

1.9 IP Version 6
IPv6 (Internet Protocol version 6) is a revision of the Internet Protocol (IP) developed by the Internet Engineering Task Force (IETF). IPv6 is intended to succeed IPv4, which is the dominant communications protocol for most Internet traffic as of 2012.IPv6 was developed to deal with the long-anticipated problem of IPv4 running out of addresses. IPv6 implements a new addressing system that allows for far more addresses to be assigned than with IPv4.

Each device on the Internet, such as a computer or mobile telephone, must be assigned an IP address in order to communicate with other devices. With the ever-increasing number of new devices being connected to the Internet, there is a need for more addresses than IPv4 can accommodate. IPv6 uses 128-bit addresses, allowing for 2128, or approximately 3.41038 addresses. IPv4 uses 32-bit addresses, allowing for only 4,294,967,296 addresses worldwide.

14

1.8.1 IPV6 ADDRESSES

Decomposition of an IPv6 address from hexadecimal representation to its binary value. The rapid exhaustion of IPv4 address space, despite conservation techniques, prompted the Internet Engineering Task Force (IETF) to explore new technologies to expand the Internet's addressing capability. The permanent solution was deemed to be a redesign of the Internet Protocol itself.

This next generation of the Internet Protocol, intended to replace IPv4 on the Internet, was eventually named Internet Protocol Version 6 (IPv6) in 1995.The address size was increased from 32 to 128 bits or 16 octets. This, even with a generous assignment of network blocks, is deemed sufficient for the foreseeable future. Mathematically, the new address space provides the potential for a maximum of 2128, or about 3.4031038 unique addresses.

The new design is not intended to provide a sufficient quantity of addresses on its own, but rather to allow efficient aggregation of subnet routing prefixes to occur at routing nodes. As a result, routing table sizes are smaller, and the smallest possible individual allocation is a subnet for 264 hosts, which is the square of the size of the entire IPv4 Internet. At these levels, actual address utilization rates will be small on any IPv6 network segment.

The new design also provides the opportunity to separate the addressing infrastructure of a network segment that is the local administration of the segment's available space

15

from the addressing prefix used to route external traffic for a network. IPv6 has facilities that automatically change the routing prefix of entire networks, should the global connectivity or the routing policy change, without requiring internal redesign or renumbering.

The large number of IPv6 addresses allows large blocks to be assigned for specific purposes and, where appropriate, to be aggregated for efficient routing. With a large address space, there is not the need to have complex address conservation methods as used in Classless Inter-Domain Routing (CIDR).

Many modern desktop and enterprise server operating systems include native support for the IPv6 protocol, but it is not yet widely deployed in other devices, such as home networking routers, voice over IP (VoIP) and multimedia equipment, and network peripherals.

IPv6 ADDRESSING IPv6 addresses are 128-bit identifiers for interfaces and sets of interfaces. There are three types of addresses: Unicast: An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address.

Anycast:

An identifier for a set of interfaces (typically belonging to different nodes). A

packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one, according to the routing protocols' measure of distance).

Multicast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address.

16

1.9 COMPARISON BETWEEN IPV4 AND IPV6: IPV4

1.Addresses are 32 bits (4 bytes) in length 2.Address (A) resource records in DNS to map host names to IPv4 addresses

IPV6
1.Addresses are 128 bits (16 bytes) in length 2.Address (AAAA) resource records in DNS to map host names to IPv6 addresses

3. IPSec is optional and should be supported 3.IPSec support is not optional externally 4.Header does not identify packet flow for 4. Header contains Flow Label field, which QoS handling by routers Identifies packet flow for QoS handling by router 5. Both routers and the sending host fragment 5. packets. Routers do not support host packet

fragmentation. packets

Sending

fragments

6. Header includes a checksum.

6. Header does not include a checksum.

7. Header includes options.

7. Optional data is supported as extension headers.

8. Must support a 576-byte packet size 8. Must support a 1280-byte packet size (possibly fragmented). (without fragmentation).

9. Broadcast addresses are used to send 9. IPv6 uses a link-local scope all-nodes traffic to all nodes on a subnet multicast address.

10.Internet Group Management Protocol 10. Multicast Listener Discovery (MLD) (IGMP) manages membership in local subnet messages manage membership in local groups subnet groups.

11. Configured either manually or through 11. Does not require manual configuration or DHCP. DHCP.

17

1.10 ADVANTGES OF IPV6 OVER IPV4

Larger address space The main advantage of IPv6 over IPv4 is its larger address space. The length of an IPv6 address is 128 bits, compared to 32 bits in IPv4.The address space therefore has 2128 or approximately 3.41038 addresses. Multicasting Multicasting, the transmission of a packet to multiple destinations in a single send operation, is part of the base specification in IPv6. In IPv4 this is an optional although commonly implemented feature.IPv6 multicast addressing shares common features and protocols with IPv4 multicast, but also provides changes and improvements by eliminating the need for certain protocols. Mandatory network-layer security Internet Protocol Security (IPsec) was originally developed for IPv6, but found widespread deployment first in IPv4, into which it was back-engineered. Earlier, IPsec was an integral part of the base IPv6 protocol suite but has since been made optional. Simplified processing by routers In IPv6, the packet header and the process of packet forwarding have been simplified. Although IPv6 packet headers are at least twice the size of IPv4 packet headers, packet processing by routers is generally more efficient thereby extending the end-to-end principle of Internet design. Privacy The privacy enhancements in IPv6 have been mostly developed in response to a misunderstanding. Interfaces can have addresses based on the MAC address of the machine, but this is not a requirement. Even when an address is not based on the MAC address though, the interface's address is (contrary to IPv4) usually global instead of local, which makes it much easier to identify a single user through the IP address.

18

CHAPTER 2

NETWORK ADDRESS TRANSLATION

In computer networking, network address translation (NAT) is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device

The Internet has grown larger than anyone ever imagined it could be. Although the exact size is unknown, the current estimate is that there are about 100 million hosts and over 350 million users actively on the Internet. That is more than the entire population of the United States! In fact, the rate of growth has been such that the Internet is effectively doubling in size each year.

When IP addressing first came out, everyone thought that there were plenty of addresses to cover any need. Theoretically, you could have 4,294,967,296 unique addresses (232). The actual number of available addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are separated into Classes and the need to set aside some of the addresses for multicasting, testing or other specific uses. Network Address Translation (NAT) is a way to map an entire network (or networks) to a single IP address. NAT is necessary when the number of IP addresses assigned to you by your Internet Service Provider is less than the total number of computers that you wish to provide Internet access for. NAT is described in RFC 1631, "The IP Network Address Translator (NAT)."

2.1 NAT WORKING:

When a client on the internal network contacts a machine on the Internet, it sends out IP packets destined for that machine. These packets contain all the addressing information necessary to get them to their destination. NAT is concerned with these pieces of information:

Source IP address (for example, 192.168.1.35) Source TCP or UDP port (for example, 2132)

19

When the packets pass through the NAT gateway they will be modified so that they appear to be coming from the NAT gateway itself. The NAT gateway will record the changes it makes in its state table so that it can a) reverse the changes on return packets and b) ensure that return packets are passed through the firewall and are not blocked. For example, the following changes might be made:

Source IP: replaced with the external address of the gateway (for example, 24.5.0.5) Source port: replaced with a randomly chosen, unused port on the gateway (for example, 53136)

Neither the internal machine nor the Internet host is aware of these translation steps. To the internal machine, the NAT system is simply an Internet gateway. To the Internet host, the packets appear to come directly from the NAT system; it is completely unaware that the internal workstation even exists.

When the Internet host replies to the internal machine's packets, they will be addressed to the NAT gateway's external IP (24.5.0.5) at the translation port (53136). The NAT gateway will then search the state table to determine if the reply packets match an already established connection. A unique match will be found based on the IP/port combination which tells PF the packets belong to a connection initiated by the internal machine 192.168.1.35. PF will then make the opposite changes it made to the outgoing packets and forward the reply packets on to the internal machine.

Translation of ICMP packets happens in a similar fashion but without the source port modification.

20

2.2 IMPLEMENTATION OF NATING:

Network address translation can be done: 1) Static 2) Dynamic In static NAT a certain fixed original IP is always translated to the same NAT IP at all times, and no other IP gets translated to a same NAT IP

In Dynamic NAT the NAT IP depends on various run time conditions and may be a completely different one for each single connection.

2.2.1 STATIC NAT: The process of the Static NAT translation is the same for every device that supports it (assuming the manufacturer has followed the RFCs). This means that whether we use a router or a firewall appliance to perform Static NAT they'll both follow the same guidelines. Consider our example network: figure 1

2.2.1.1 example network of static NAT As the diagram describes we have Workstation No.1, which sends a request to the Internet. Its gateway is the router that connects the LAN to the Internet and also performs Static NAT.

21

1) The diagram below shows us how the Workstation's packet is altered as it transits the router before it's sent to the Internet (outgoing packet):

2.2.1.2 outgoing Packet Modification of static NAT As you can see, the only thing that changes is the Source IP, which was 192.168.0.3 and was given the value of 203.31.220.135, which is a real IP Address on the Internet. The Destination IP Address, Source Port and Destination Port are not modified. Assuming the packet arrives at its destination, we would most likely expect to see a reply. It would be logical to assume that the reply, or incoming packet, will require some sort of modification in order to successfully arrive at the originating host located on our private network (that's Workstation 1). 2) Here is how the incoming packet is altered as it transits the router:

2.2.1.2 Incoming Packet Modification of static NAT

22

The diagram above shows the part of the incoming packet that is altered by the router. Only the destination IP Address is changed, from 203.31.220.135 to 192.168.0.3 so the packet can then be routed to the internal workstation. Source IP Address, Source Port and Destination Port remain the same. 3) The diagram below shows you what the outgoing and incoming packets looked like before and after transiting the router:

2.2.1.4 complete static NAT process 2.2.2 DYNAMIC NAT: The way Dynamic NAT differentiates from Static NAT is that where Static NAT provides a one-to-one internal to public static IP mapping, Dynamic NAT does the same but without making the mapping to the public IP static and usually uses a group of available public IPs.

With Dynamic NAT, we also map our internal IP Addresses to real public IP Addresses, but the mapping is not static, meaning that for each session our internal hosts communicate with the Internet, their public IP Addresses remain the same, but are likely to change. These Ips are taken from a pool of public IP Addresses that have been reserved by our ISP for our public network.

23

With Dynamic NAT, translations dont exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table, thus making them available for other internal hosts.

1)

The diagram below illustrates the way Dynamic NAT works:

2.2.2.1 Dynamic NAT working

The diagram above is an example network and shows router, which is configured to perform Dynamic NAT for the network. We request 4 public IPs from our ISP (203.31.218.210 to 203.31.218.213), which will be dynamically mapped by our router to our internal hosts. In this particular session our workstation, with IP Address 192.168.0.1, sends a request to the Internet and is assigned the public IP address 203.31.218.210. This mapping between the workstation's private and public IP Address will remain until the session finishes. The router is configured with a special NAT timeout and, after this timeout is reached (no traffic sent/received during that time), the router will expire the particular mapping and reuse it for a different internal host.

If users of workstations with IP Address 192.168.0.1 and 192.168.0.3 do not use their PC , so they log off and leave their PCs on (even if they switched them off, it wouldn't make a difference unless they had some program running that was constantly generating Internet traffic because the NAT timeout would never be reached). While these users went out , the
24

user on the workstation with IP Address 192.168.0.2 decided to stay and do some extra work on the Internet. After 1 hour, the users return and log back on, launch their web browser and start to search on the net. The router, as expected, deleted the old mappings once the NAT timeout had been reached for each mapping and created new ones once the users launched their web browsers, because that action generated traffic to the Internet and therefore had to transit the router. Here's how the new mappings look

2.2.2.2 Dynamic NAT mapping

2.3 SECURITY AND ADMINISTRATION

Implementing dynamic NAT automatically creates a firewall between your internal network and outside networks or the Internet. Dynamic NAT allows only connections that originate inside the stub domain. Essentially, this means that a computer on an external network cannot connect to your computer unless your computer has initiated the contact. So you can browse the Internet and connect to a site, even download a file. But somebody else can't simply latch onto your IP address and use it to connect to a port on your computer. Static NAT, also called inbound mapping, allows connections initiated by external devices to computers on the stub domain to take place in specific circumstances. For instance, you may wish to map an inside global address to a specific inside local address that is assigned to your Web server.

25

2.4 MULTI-HOMING As businesses rely more and more on the Internet, having multiple points of connection to the Internet is fast becoming an integral part of their network strategy. Multiple connections, known as multi-homing, reduces the chance of a potentially catastrophic shutdown if one of the connections should fail.

In addition to maintaining a reliable connection, multi-homing allows a company to perform load-balancing by lowering the number of computers connecting to the Internet through any single connection. Distributing the load through multiple connections optimizes the performance and can significantly decrease wait times.

Multi-homed networks are often connected to several different ISPs (Internet Service Providers). Each ISP assigns an IP address (or range of IP addresses) to the company. Routers use BGP (Border Gateway Protocol), a part of the TCP/IP protocol suite, to route between networks using different protocols. In a multi-homed network, the router utilizes IBGP (Internal Border Gateway Protocol) on the stub domain side and EBGP (External Border Gateway Protocol) to communicate with other routers.

When using NAT with multi-homing, the NAT router is configured with multiple pools of inside global addresses allocated by different ISPs. The same inside local address should be mapped to more than one inside global address from the configured pools, depending on the provider through which the traffic gets routed to the destination. This is known as NAT by destination.

Multi-homing really makes a difference if one of the connections to an ISP fails. As soon as the router assigned to connect to that ISP determines that the connection is down, it will reroute all data through one of the other routers. NAT can be used to facilitate scalable routing for multi-homed multi-provider connectivity.

26

2.5 NAT ADVANTAGES

NAT saves public IP addresses. Because a client only needs a public IP address when it is communicating with the Internet, the pool of globally routable IP addresses can be shared with other clients. Therefore, you need fewer public IP addresses than the actual number of internal clients that need access to the public network if you use NAT. NAT hides the internal network's IP addresses.

It simplifies routing. Since internal hosts are assigned IP addresses from the internal network, other internal systems can access them without special routes or routers. The same hosts are accessed from the public network through globally routable IP addresses translated by NAT.

NAT is transparent to the client and, therefore, allows you to support a wider range of clients.

NAT supports a wide range of services with a few exceptions. Any application that carries and uses the IP address inside the application does not work through NAT.

NAT consumes fewer computer resources and is more efficient than using SOCKS and application proxy servers.

The Universal Connection can flow through NAT.

2.6 NAT DISADVANTAGES

NAT provides minimum logging services. You must enable IP forwarding before you can use NAT to make an Internet connection.

NAT is not as adept as either the SOCKS or application proxy servers in detecting attacks.

NAT can break certain applications, or make these applications more difficult to run.

27

2.7 IMPLEMENTATION OF NATING USING CISCO ROUTER

CONNECTING TO A CISCO ROUTER We can connect to a Cisco router to configure it, verify its configuration, and check statistics. There are different ways to do this, but most often, the first place we would connect to is the console port. The console port is usually an RJ-45 (8-pin Modular) connection located at the back of the routerby default, theres no password set.

We can also connect to a Cisco router through an auxiliary port which is really the same thing as a console port, so it follows that you can use it as one. But this auxiliary port also allows you to configure modem commands so that a modem can be connected to the router.

This is a cool Feature it lets you dial up a remote router and attach to the auxiliary port if the router is down and you need to configure it out-of-band (which means, basically, outof-the-network). Inband means the oppositeconfiguring the router through the

network. The third way to connect to a Cisco router is in-band, through the program

Telnet
Telnet is a terminal emulation program that acts as though its a dumb terminal. You can use Telnet to connect to any active interface on a router like an Ethernet or serial port

28

2.8 GENERAL COMMANDS There are 3 different modes of operation within the Cisco IOS. 1. Disabled mode 2. Enabled mode 3. Configuration mode In the Disabled mode you can use a limited number of commands. This is used primarily to monitor the router. The Enabled mode is used to show configuration information, enter the configuration mode, and make changes to the configuration. The Configuration mode is used to enter and update the runtime configuration. To get a list of the commands for the cisco type '?' at the prompt. To get further information about any command, type the command followed by a '?'. Clear Clock Configure Debug Disable Enable Erase Exit Help Login Logout No Ping Reload Setup Show telnet Terminal Test Traceroute Reset functions Manage the system clock Enter configuration mode Debugging functions (see also 'undebug') Turn off privileged commands Turn on privileged commands Erase flash or configuration memory Exit from the EXEC Description of the interactive help system Log in as a particular user Exit from the EXEC Disable debugging functions Send echo messages Halt and perform a cold restart Run the SETUP command facility Show running system information Open a telnet connection Set terminal line parameters Test subsystems, memory, and interfaces Trace route to destination

29

Tunnel Undebug Verify Write Show access-lists Arp Buffers Configuration Controllers Debugging Dialer Extended Flash flh-log History Hosts Interfaces Ip Isdn Line logging Memory Privilege Processes Protocols Queue Queueing Reload route-map running-config sessions Smf Stacks

Open a tunnel connection Disable debugging functions (see also 'debug') Verify checksum of a Flash file Write running configuration to memory, network, or terminal List access lists ARP table Buffer pool statistics Contents of Non-Volatile memory Interface controller status State of each debugging option Dialer parameters and statistics Extended Interface Information System Flash information Flash Load Helper log buffer Display the session command history IP domain-name, lookup style, name servers, and host table Interface status and configuration IP information ISDN information TTY line information Show the contents of logging buffers Memory statistics Show current privilege level Active process statistics Active network routing protocols Show queue contents Show queueing configuration Scheduled reload information route-map information Current operating configuration Information about Telnet connections Software MAC filter Process stack utilization

30

2.9 CONFIGURATION CORNER

AUTNET#show running-config Building configuration Current configuration : 1295 bytes ! ! Last configuration change at 06:52:00 UTC Wed Mar 9 2011 ! Version 15.0 Service timestamps debug datetime msec Service timestamps log datetime msec no service password-encryption ! hostname AUTNET ! boot-start-marker boot-end-marker ! no aaa new-model ! no ipv6 cef ip source-route ip name-server 218.248.255.177 ip name-server 218.248.240.180 ip name-server 218.248.240.23 multilink bundle-name authenticated license udi pid CISCO 2911/K9 sn FHK1432F3WY interface GigabitEthernet0/0 ip address 117.211.86.58 255.255.255.248 ip nat outside ip virtual-reassembly

31

duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.34.130.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface GigabitEthernet0/2 ip address 117.211.123.193 255.255.255.224 duplex auto speed auto ! ip forward-protocol nd ! no ip http server no ip http secure-server ip ip nat nat pool inside auniverse source 117.211.86.58 list 20 pool 117.211.86.62 netmask 255.255.255.0 auniverse overload ip route 0.0.0.0 0.0.0.0 117.211.86.57 ! access-list 0.0.0.255 ! ! ! line con 0 line aux 0 line vty 0 4 20 permit 10.34.130.0

32

password Admin123 login ! scheduler allocate 20000 1000 end AUINET# wr Building configuration [OK]

33

CONCLUSION
Many organizations have been reluctant to widely deploy the next generation Internet Protocol (IPv6) up to now. However, sooner or later IPv6 will replace IPv4 with a phase of coexistence of many years.

Enterprises and service providers should carefully plan for the in-evitable transition towards IPv6. They should develop IPv6 expertise so that they will be able to decide, when to move to IPv6. Careful transition planning will reduce and distribute costs over many years.

Multiple client devices can appear to share IP addresses because an IPv4 network address translator (NAT) acts as an intermediary agent on behalf of its customers, in which case the real originating IP addresses might be hidden from the server receiving a request.

NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a common, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address.

Most NAT devices today allow the network administrator to configure translation table entries for permanent use. NAT saves public ip address because a client only needs a public ip address when it is communicating with internet, the pool of globally routable ip address can be shared with other clients. Therefore we need fewer public ip addresses than the actual number of internal clients.

NAT is transparent to client and therefore, allows to support the wider range of clients. Finally, NAT supports a wide range of services with a few exceptions.

34

REFERENCES
Chapter 11: IP Masquerade and Network Address Translation Chapter 8: Network Address Translation - Safari Books Online Chapter26: Doug comers book Computer networks by S Tanenbaum Data Communications and Networking-Behrouz A.FOROUZEN CCNP 1: Advanced Routing Companion Guide (Cisco Networking Academy Program), 2nd Edition

35