Scribd Logo
Upload

Welcome to Scribd!

  • Private Network Interconnection

    Uploaded by

    akirank1
    864 views32 pages
    Internetworking with TCP/IP, Vol. I Principles, Protocols, & Architecture

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Internetworking with TCP/IP, Vol. I Principles, Protocols, & Architecture

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    864 views32 pages

    Private Network Interconnection

    Uploaded by

    akirank1
    Internetworking with TCP/IP, Vol. I Principles, Protocols, & Architecture

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    Private Network Interconnection

     VPN - Virtual Private Networks


     NAT - Network Address Translation

     Describe a 2-level internet architecture


     Private internet connected by public
    internet/Internet

    © MMII JW Ryder CS 428 Computer Networking 1


    Private/Hybrid Networks
     Major drawback to single level architecture ->
    lack of privacy
     2 levels distinguish between internal and
    external datagrams
     Goal is to keep internal datagrams private
    while still allowing external communications

    © MMII JW Ryder CS 428 Computer Networking 2


    Private Networks
     Easiest way to guarantee privacy is completely
    private network aka private network
     Use routers to interconnect networks at each
    site and leased digital circuits to interconnect
    sites
     Since no outside access can use own IP
    addressing scheme

    © MMII JW Ryder CS 428 Computer Networking 3


    Hybrid Networks
     Gives advantages of both private and and
    global Internet connectivity
     Must use globally valid IP addresses

     Connect each site to the Internet

     See hybrid architecture in figure 20.1 on page


    390

    © MMII JW Ryder CS 428 Computer Networking 4


    VPN
     Chief disadvantage of both private and hybrid
    networks is high cost
     leased lines (T1+) are expensive
     Can lower cost by using alternative
    technologies (frame relay, ATM) or simply
    connect to the global Internet
     Connecting to global Internet could remove
    privacy
    © MMII JW Ryder CS 428 Computer Networking 5
    VPN
     Big Question - How to keep the privacy but keep
    Internet connectivity?
     Two techniques make VPN possible
     Tunneling
     Encryption

     Define a tunnel across the Internet between a


    router on one side and a router on the other
     Use IP-in-IP encapsulation in tunnel

    © MMII JW Ryder CS 428 Computer Networking 6


    VPN
     See tunnel figure 20.2 on page 391
     Entire inner datagram including the IP
    header is encrypted before being placed as
    the data in the outer datagram
     Describe flow

     “A VPN sends data across the Internet, but


    encrypts intersite transmissions to guarantee
    privacy” page 392
    © MMII JW Ryder CS 428 Computer Networking 7
    VPN Addressing
     Offers an organization same addressing as
    private network if hosts do not need Internet
    connectivity
     If hosts need Internet connectivity then
    hybrid approach can be used
     In either case the routers that interface with
    the Internet always need valid IP addresses
     See figure 20.4 on page 393
    © MMII JW Ryder CS 428 Computer Networking 8
    VPN Addressing
     How can a host provide access to the global
    Internet without assigning each host a valid IP
    address?
     2 general methods
     Application
    Gateways
     Network Address Translation

    © MMII JW Ryder CS 428 Computer Networking 9


    Application Gateways
     Offers hosts access to Internet services without
    offering IP level access
     Each site has a multi-homed host with a
    connection to both the Internet and the private
    network
     MHH runs a set of programs called
    Application Gateways

    © MMII JW Ryder CS 428 Computer Networking 10


    Application Gateways
     Each AG handles 1 service
     Hosts send datagrams to AG on MHH

     MHH accesses the service on the Internet

     MHH relays responses back to host on private


    network
     Example: E-mail gateway

    © MMII JW Ryder CS 428 Computer Networking 11


    Application Gateways
     Advantage - ability to work without changing
    underlying structure of private network
     Disadvantage - lack of generality
     “Each application gateway handles only one
    specific service; multiple gateways are required
    for multiple services.”
     AGs do NOT solve problem in a general way

    © MMII JW Ryder CS 428 Computer Networking 12


    NAT
     Requires a site to have a single connection
    to the Internet and one valid IP address G
     G assigned to a MHH connected to the
    Internet that runs NAT software
     A computer running NAT software is
    known as a NAT Box
     All datagrams flow through NAT box

    © MMII JW Ryder CS 428 Computer Networking 13


    NAT
     NAT translates both outgoing and incoming
    addresses
     Outgoing
     Replace source address with G
     Incoming
     Replace destination address with private address of
    host

    © MMII JW Ryder CS 428 Computer Networking 14


    NAT
     External view - All datagrams come from and
    go to the NAT box
     Internal view - NAT box appears as a router to
    the Internet
     Chief advantage - Combination of generality
    and transparency

    © MMII JW Ryder CS 428 Computer Networking 15


    NAT
     More general than AGs - Allows arbitrary
    internal host to access arbitrary service on a
    host on the Internet
     Transparency - Allows internal host to send and
    receive datagrams using a private IP address
     “NAT technology provides transparent IP-level
    access to the Internet from a host with a private
    address.”
    © MMII JW Ryder CS 428 Computer Networking 16
    NAT Translation
     Each entry specifies 2 items
     IP address of host on Internet
     IP address of host on private network

     Example incoming/outgoing
     Table must be in place before datagram arrives
    in from Internet
     Why?

    © MMII JW Ryder CS 428 Computer Networking 17


    NAT Translation
     How/When is table initialized
     Manual - network administrator
     Outgoing Datagrams - sie effect of sending
    datagrams
     Incoming DNS lookup - side effect of DNS lookup
     When host on Internet does a DNS lookup of internal
    host, DNS software creates entry in translation table
    then answers request by sending G

    © MMII JW Ryder CS 428 Computer Networking 18


    NAT Translation
     Manual
     Advantage - IP datagrams in either direction any time
     Outgoing
     Advantage - Automatic
     Disadvantage – Comm. can’t be initialized by outside
     Incoming DNS lookups
     Requires modifying DNS software
     Accommodates initiating communication from outside
     Only works if DNS used

    © MMII JW Ryder CS 428 Computer Networking 19


    NAT
     Mot implementations use outgoing method
     Example on figure 20.5 on page 396

     NAT permits ISP to assign private addresses

    © MMII JW Ryder CS 428 Computer Networking 20


    Multi-Address NAT
     NAT described so far allows a single host on
    private network to access a single Internet site
     What if 2 local hosts want to access single Internet
    host?
     External Address Concurrency

    © MMII JW Ryder CS 428 Computer Networking 21


    Multi-Address NAT
     Assign NAT box multiple Gs
     Multiple accesses of same Internet host maps
    different Gs
     Still finite number of concurrent accesses

    © MMII JW Ryder CS 428 Computer Networking 22


    Port-Mapped NAT
     Translate TCP or UDP protocol port numbers
    too
     Sometimes known as Network Address Port
    Translation (NAPT)
     Additional table fields
     Pairof source/destination protocol port numbers
     Protocol port number used by NAT box

    © MMII JW Ryder CS 428 Computer Networking 23


    Port-Mapped NAT
     See figure 20.6 on page 397
     10.0.0.5 and 10.0.0.1 have unique source port
    numbers but this is NOT guaranteed
     Maybe they choose same number - application can
    select it
     To avoid - NAT assigns unique port number to
    each Internet communication

    © MMII JW Ryder CS 428 Computer Networking 24


    Port-Mapped NAT
     TCP 4-tuple to represent IP address and port
    number
     Before sending
     (10.0.0.5,21023,128.10.19.20,80)
     (10.0.0.1,386,128.10.19.20,80)

     After NAPT translation


     (G,14003,128.10.19.20,80)
     (G,14010,128.10.19.20,80)
    © MMII JW Ryder CS 428 Computer Networking 25
    Port-Mapped NAT
     Advantage - Generality with single valid IP
    address
     Disadvantage - Restricts use to TCP or UDP

     “Several variants of NAT exist, including the


    popular NAPT form that translates protocol
    port numbers as well as IP addresses.”

    © MMII JW Ryder CS 428 Computer Networking 26


    NAT and ICMP
     “Straight-forward” changes to IP addresses can cause
    unexpected problems in higher layer protocols
     NAT doesn’t forward all ICMP messages arriving
    from Internet
     Example - If routes in NAT box are incorrect, an
    ICMP redirect message must be handled locally not
    sent internally to some other host
     Before forwarding to internal host NAT translates
    ICMP message
    © MMII JW Ryder CS 428 Computer Networking 27
    NAT and ICMP
     So, NAT must decide whether ICMP
    message to be forwarded in or handled
    locally
     ICMP destination unreachable message

     IP header returned containing source


    address but G is in it not internal source

    © MMII JW Ryder CS 428 Computer Networking 28


    NAT and ICMP
     NAT box must first translate address and place
    it into the ICMP message
     ICMP Checksum in now incorrect and one in
    datagram outer header!!!!
     This must now be recomputed

    © MMII JW Ryder CS 428 Computer Networking 29


    NAT and Applications
     Pure NAPT doesn’t work with applications
    that send IP addresses and port numbers as
    data
     FTP - TCP application

     One program obtains port number on local


    machine, converts it to ASCII and sends it to
    other host to create TCP connection

    © MMII JW Ryder CS 428 Computer Networking 30


    NAT and Applications
     NAPT would need to inspect all data and
    translate as needed for every application
    protocol as it is designed!
     NAT supports main application protocol such
    as FTP and Telnet but not all
     Certainly not out home grown applications

    © MMII JW Ryder CS 428 Computer Networking 31


    Summary
     VPNs guarantee privacy but are expensive
     2 main technologies used to implement VPN
     Application Gateways
     NAT

    © MMII JW Ryder CS 428 Computer Networking 32

    You might also like