Ch 19 Private Network Interconnection

1
Ch 19 Private Network Interconnection

• 2006.11.15

LIS Lab ???? 1? ? ? ?
2
19.1 Introduction
Definition
?? Limited Address Space, Keep Privacy to
Internal Network ?? ?? ??? ????? ??? ??? ???
???? ?? ?? ??? ???? ??? ?? ???? ???? ??? ?? ??
?? ?????? ??? ????, ?? ??? ?? ?? ?? Network? ??
Network? ??
3
19.2 Private And Hybrid Networks
Hybrid Network
Site1
Site2
R1
R3
128.10.1.0
192.5.48.0
Leased circuit

R2
R4
128.10.2.0
128.210.0.0

• ?? ???? ? ??
• ?? ???? ????? ??? ??? ????? ???? ??? ?? ????
  ???? ??? ? ??
• ?? ??? ??? ?? ?? ??? ??
• VPN? ???? ??
• VPN ? ? ??? ?? ??? ?? ???? ??? ?? ??? ????
  (128.10.1.X) ?? ?? ?? ??? ??? ??

4
19.2 Private And Hybrid Networks
VPN

• Encryption

• IP to IP Tunneling

Connect all sites to global Internet Protect data
as it passes from one site to another
Encryption IP-in-IP tunneling
5
19.3 VPN Addressing And Routing
Addressing Routing

• Think of each VPN tunnel as a replacement for a
  leased circuit in a private network
• Rotuer contains explicit routes for destinations
  within the organization
• Instead of routing data across a leased line,
  VPN routes data through a tunnel

6
19.5 VPN With Private Address
Private Address

• VPN do not need general Internet connectivity ?
  configured to use arbitrary IP addresses
• need Internet access ? a hybrid addressing
  scheme used
• When private addressing is used, valid IP
  address needed at each site for tunnelling
• VPNs use the same addressing structure as a
  private network
• Hosts in a completely isolated VPN can use
  arbitrary addresses
• A hybrid architecture with valid IP addresses
  must be employed to provide hosts with access to
  the global internet
• How can a site provide access to the global
  Interent without assigning each host a valid IP?
• Application Gateway approach offers hosts access
  to Internet services without offering IP-level
  access(Each site has a multi-homed host connected
  )

7
19.6 Network Address Translation (NAT)
NAT
InterNet
NAT Box
IntraNet

• Requires a site to have a single connection to
  the Global Internet and at least one globally
  valid IP address,
• G Address is assigned to the multi-homed host
  (connect the Internet and runs NAT software (NAT
  Box))
• All datagrams pass thorugh the NAT box
• NAT translates the addresses in both outgoing
  and incoming datagrams by relpace
• ( the source address in each outgoing datagram
  with G and replacing the destination address in
  each incoming datagram with the private address
  of the correct host. )
• Cheif advantage arises from its combination of
  generality and transparency
• provides transparent IP-level access to the
  Internet from a host with a private address

8
19.7 NAT Translation Table Creation
NAT Operation

• NAT maintains a translation table that it uses
  to perform mapping.
• Each entry specifies two items
• IP of a host on the Internet
• Internal IP address of a host at the site
• When incoming datagrams arrive
• NAT looks up the datagram's destination address
  in the table
• Extracts the corresponding address of an
  internal host
• Replaces the datagrams destination address with
  the host's address
• Forwards the datagram across the local network
  to the host

9
19.7 NAT Translation Table Creation
NAT Table Creation

• Manual initialization
• manager configures the translation table manually
  before any communication occurs
• Provides permanent mappings and allows IP
  datagrams to be sent in either direction at any
  time
• Outgoing datagrams
• Table is built as a side-effect of sending
  datagrams
• When it receives a datagram from an internal
  host, NAT creates an entry in the translation
  table to record the address of the host and the
  address of the destination Automatic
• Does not allow communication to be initiated from
  the outside
• Incoming name lookups
• Table is built as a side effect of handling
  domein name lookups
• When a host on the Internet looks up a domain
  name of an internal host to find its IP address,
  the domain name software creates an entry in the
  NAT translation table
• Then answers the request by sending address G
• From the outside it appears tha tall host names
  at the site map to address G
• Requires modifying the domain name software
• Accomodates communication initiated from outside
  the site
• Only works if the sender performs a domain name
  lookup before sending datagrams.

10
19.8 Multi-Address NAT

• A variation of NAT permits concurrency by
  retaining the 1-to-1 mapping, but allowing the
  NAT box to hold multiple Internet addresses.
• Multi-address NAT assigns the NAT box a set of k
  globally valid addresses (G1, G2, ...Gk)
• first internal host accesses a given
  destination, the NAT box chooses address G1
• Adds an entry to the translation table and sends
  the datagram
• G2 is assigned to the next host and so on...
• Allows up to K internal hosts to access a given
  destination concurrently

11
19.9 Network Address Port Translation (NAPT)
NAPT

• Provides concurrency by translating TCP or UDP
  protocol numbers as well as addr (table contains
  a pair of source and dest. protocol port num)

• Port uniqueness is not guaranteed, so it could
   turn out that two internal hosts could happen to
  choose the same port nubmer
• to avoid potential conflicts, NAT assigns a
  unique port number to each communication used on
  the Internet
• The first 4-tuples(10.0.0.5, 23023,
  128.10.19.20, 80) and (10.0.0.5, 386,
  128.10.19.20, 80)become G, 14003, 128.10.19.20,
  80) and (G, 14010, 128.10.19.20, 80)
• Primary advantage of NAPT lies in the generality
  it achieves with a single globally valid IP
  address
• The primary disadvantage arises because it
  restricts communication to TCP or UDP
• As long as all communication uses TCP or UDP,
  NAPT allows an internal computer to access
  multiple external computers, and multiple
  internal computers to access the same external
  computer w/out interference.
• A port space of 16 bits allows up to 216 pairs
  of applications to communicate at the same time.
  (65,025)

12
19.10 Interaction Between NAT and Other
Interaction ICMP

• ICMP

• To maintain the illusion of transparency, NAT
  must handle ICMP
• If a host uses ping to test reachability, NAT
  must forward incoming echo replies to the correct
  host
• NAT does not forward all ICMP messages that
  arrive from the Internet
• ICMP redirect messages are processed locally
• NAT must first determine whether an incoming
  ICMP message should be handled locally or sent to
  the internal host.
• Before forwarding, NAT translates the ICMP
  message

• Application

• NAT affects ICMP and higher layer protocols
• Except for a few standard applications like FTP,
  an application protocol that passes IP addresses
  or protocol port numbers as data will not operate
  correctly across NAT.

13
19.13 Conceptual Address Domains
Domain

• NAT can be used to connect any two address
  domains
• Can be used between two corporations (private
  network using the same Network IP address)
• NAT can be used at two levels
• Between a customer's private and an ISP's
  private address domains
• Between the ISP's address domain and the Global
  Internet
• NAT can be combined with VPN technology to form
  a hybrid architecture(private addresses used
  organization and NAT provide connectivityGlobal
  Internet)

14
19.14 Slirp and IPtable
SlirpIPtable

• Slirp was designed for use in a dialup
  architecutre.
• Combines PPP and NAT into a single program
• Runs on a computer that has
• Valid IP address
• Permanent Internet Connection
• ONe or more dialup modems
• Cheif advantage is that it can use an ordinary
  user account on a Unix system for general-purpose
  Internet access
• A computer that has a private address dials in
  and runs slirp. 
• Once slirp begins, the dialup line switches from
  ASCII commands to PPP
• The Dialup computer starts PPP and obtains
  access to the Internet
• Slirp implements NAPT
• Uses protocol port numbers to demultiplex
  connections
• Can rewrite protocol port numbers as well as IP
  addresses
• Possible to have multiple computers accessing teh
  Internet at the same time through a single
  occurrence of slirp running on a Unix system.
• IPTABLE was designed for Linux Operating system
  
• Kernel Support S/W( have packet rewriting and
  firewalling)
• Provide stateful packet inspection by iptables
  rule

15
Ch 20 Client Server Model of interaction

• 2006.11.15

LIS Lab ???? 1? ? ? ?
16
20.3 The Client Server Model

• Client
• Any application program
• Contacts a server
• Forms and sends a request
• Awaits a response
• Server
• Usually a specialized program that offers a
  service
• Awaits a request
• Computes an answer
• Issues a response

17
20.3 A Simple Example UDP Echo Server

• A server starts execution before interaction
  begins and (usually) continues to accept requests
  and send responses without ever terminating
  (Listen)
• A client is any program that makes a request and
  awaits a response(Wait)
• Client usually terminates after using a server a
  finite number of times (Time over)
• A server waits for requests at a well-known port
  that has been reserved for teh service it offers
• A client allocates an arbitrary, unused,
  nonreserved port for its communication

18
20.4 Time And Date Service

• Even simple client-server interaction can
  provide useful services
• Time of day server sets a computer's time-of-day
  clock
• Client-server interaction can be used to set the
  system clock automatically when a machine boots
• Manager configures one machine, typically the
  machine with the most accurate clock to run a
  time-of-day server.
• When other machines boot, they contact the
  server to obtain the current time

19
20.5 The Complexity of Servers

• Responsible for accepting new requests
• Open port Master opens the well-known port at
  which it can be reached )
• Wait for client Master waits for a new client
  to send a request
• Start copy Master starts an independent,
  concurrent slave to handle the request (In UNIX
  forks a copy of the server process)
• Continue Master returns to the wait step and
  continues accepting new requests while the newly
  created slave handles the previous requests
  concurrently
• ?Servers are usually more difficult to build than
  clients
• although they can be implemented with
  applications, servers must enforce all the access
  and protection policies of the computer system on
  which they run, and must protect themselves
  against all possible errors.

20
20.7 Alternatives to the Client-Server Model

• Precollections
• Background program on each machine uses UDP to
  broadcast information about the machine
  periodically
• Each machine has a copy of the latest
  information on hand
• Advantages
• Speed - no need to wait for messages to traverse
  the network
• Client can have info about machines no longer
  running
• Disadvantage Uses processor time and network
  bandwidth even when no one cares about the data
  being collected.
• For networks with few hosts, precollection cost
  is insignificant
• it is essentially innocuous background activity
• For networks with many hosts, the larger volume
  of broadcast traffic is too expensive
• cost of reading and processing broadcast messages
  becomes high.