Private/Hybrid Networks Major drawback to single level architecture -> lack of privacy 2 levels distinguish between internal and external datagrams Goal is to keep internal datagrams private while still allowing external communications
Private Networks Easiest way to guarantee privacy is completely private network aka private network Use routers to interconnect networks at each site and leased digital circuits to interconnect sites Since no outside access can use own IP addressing scheme
VPN See tunnel figure 20.2 on page 391 Entire inner datagram including the IP header is encrypted before being placed as the data in the outer datagram Describe flow
Application Gateways Offers hosts access to Internet services without offering IP level access Each site has a multi-homed host with a connection to both the Internet and the private network MHH runs a set of programs called Application Gateways
Application Gateways Advantage - ability to work without changing underlying structure of private network Disadvantage - lack of generality “Each application gateway handles only one specific service; multiple gateways are required for multiple services.” AGs do NOT solve problem in a general way
NAT Requires a site to have a single connection to the Internet and one valid IP address G G assigned to a MHH connected to the Internet that runs NAT software A computer running NAT software is known as a NAT Box All datagrams flow through NAT box
NAT NAT translates both outgoing and incoming addresses Outgoing Replace source address with G Incoming Replace destination address with private address of host
NAT External view - All datagrams come from and go to the NAT box Internal view - NAT box appears as a router to the Internet Chief advantage - Combination of generality and transparency
NAT Translation How/When is table initialized Manual - network administrator Outgoing Datagrams - sie effect of sending datagrams Incoming DNS lookup - side effect of DNS lookup When host on Internet does a DNS lookup of internal host, DNS software creates entry in translation table then answers request by sending G
NAT Translation Manual Advantage - IP datagrams in either direction any time Outgoing Advantage - Automatic Disadvantage – Comm. can’t be initialized by outside Incoming DNS lookups Requires modifying DNS software Accommodates initiating communication from outside Only works if DNS used
Multi-Address NAT NAT described so far allows a single host on private network to access a single Internet site What if 2 local hosts want to access single Internet host? External Address Concurrency
Multi-Address NAT Assign NAT box multiple Gs Multiple accesses of same Internet host maps different Gs Still finite number of concurrent accesses
Port-Mapped NAT Translate TCP or UDP protocol port numbers too Sometimes known as Network Address Port Translation (NAPT) Additional table fields Pairof source/destination protocol port numbers Protocol port number used by NAT box
Port-Mapped NAT See figure 20.6 on page 397 10.0.0.5 and 10.0.0.1 have unique source port numbers but this is NOT guaranteed Maybe they choose same number - application can select it To avoid - NAT assigns unique port number to each Internet communication
Port-Mapped NAT TCP 4-tuple to represent IP address and port number Before sending (10.0.0.5,21023,128.10.19.20,80) (10.0.0.1,386,128.10.19.20,80)
NAT and ICMP NAT box must first translate address and place it into the ICMP message ICMP Checksum in now incorrect and one in datagram outer header!!!! This must now be recomputed
NAT and Applications NAPT would need to inspect all data and translate as needed for every application protocol as it is designed! NAT supports main application protocol such as FTP and Telnet but not all Certainly not out home grown applications