1
Dynamic Host Configuration Protocol (DHCP) Network Address Translation (NAT)
CS491G: Computer Networking Lab
V. Arun
Slides adapted from Liebeherr and El Zarki, Kurose and Ross, IBM, P. Kermani
2
Dynamic Host Configuration Protocol (DHCP)
3
Dynamic Assignment of IP addresses
• Dynamic assignment of IP addresses desirable for– On-demand IP address assignment– Avoiding manual IP configuration– Supporting mobility, e.g., laptops or smartphones
4
Dynamic IP addresses assignment solutions
• Reverse Address Resolution Protocol (RARP)– Works similar to ARP, but broadcasts request for the
IP address associated with a given MAC address– RARP server responds with an IP address– Only assigns IP address (not default router, netmask)
RARP
Ethernet MACaddress(48 bit)
ARPIP address(32 bit)
5
BOOTP
• BOOTstrap Protocol (BOOTP) – From 1985– Host can configure its IP parameters at boot time. – 3 main services
• Assigning IP address • Detecting IP address of a serving machine. • Name of executable boot file name
– Can also assign default router, network mask, etc. – Sent as UDP messages (port 67:server and 68:host)– Use limited broadcast address (255.255.255.255)
6
BOOTP Interaction
• BOOTP can be used for downloading memory image for diskless PCs (network boot)
• Static assignment of IP addresses to hosts
Argon00:a0:24:71:e4:44 BOOTP Server
BOOTP Request00:a0:24:71:e4:44Sent to 255.255.255.255
Argon128.143.137.144
00:a0:24:71:e4:44 DHCP ServerBOOTP Response:IP address: 128.143.137.144Server IP address: 128.143.137.100Boot file name: filename
(a) (b)
Argon128.143.137.14400:a0:24:71:e4:44 DHCP Server
128.143.137.100
TFTP“filename”
(c)
7
DHCP
• Dynamic Host Configuration Protocol (DHCP) – From 1993– Extension of BOOTP, same port numbers, interoperable– Extensions:
• Supports temporary “leases” of IP addresses• DHCP client can acquire all IP configuration parameters
needed to operate– DHCP is the preferred mechanism for dynamic assignment
of IP addresses
8
DHCP Interaction (simplified)
Argon00:a0:24:71:e4:44 DHCP Server
DHCP Request00:a0:24:71:e4:44Sent to 255.255.255.255
Argon128.143.137.144
00:a0:24:71:e4:44 DHCP ServerDHCP Response:IP address: 128.143.137.144Default gateway: 128.143.137.1Netmask: 255.255.0.0
•Network Layer •4-9
DHCP server: 223.1.2.5 arriving client
DHCP discover
src : 0.0.0.0, 68 dest.: 255.255.255.255,67yiaddr: 0.0.0.0transaction ID: 654
DHCP offer
src: 223.1.2.5, 67 dest: 255.255.255.255, 68yiaddrr: 223.1.2.4transaction ID: 654lifetime: 3600 secs
DHCP request
src: 0.0.0.0, 68 dest:: 255.255.255.255, 67yiaddrr: 223.1.2.4transaction ID: 655lifetime: 3600 secs
DHCP ACK
src: 223.1.2.5, 67 dest: 255.255.255.255, 68yiaddrr: 223.1.2.4transaction ID: 655lifetime: 3600 secs
Typical DHCP client-server scenario
10
BOOTP/DHCP Message Format
Number of Seconds
OpCode Hardware Type
Your IP address
Unused (in BOOTP)Flags (in DHCP)
Gateway IP address
Client IP address
Server IP address
Hardware AddressLength
Hop Count
Server host name (64 bytes)
Client hardware address (16 bytes)
Boot file name (128 bytes)
Transaction ID
Options
(There are >100 different options)
11
DHCP Message Type
• Message type sent as option Value Message Type
1 DHCPDISCOVER
2 DHCPOFFER
3 DHCPREQUEST
4 DHCPDECLINE
5 DHCPACK
6 DHCPNAK
7 DHCPRELEASE
8 DHCPINFORM
12
Other options (selection)
• Other DHCP information that can be sent as an option:
Subnet Mask, Name Server, Hostname, Domain Name, Forward On/Off, Default IP TTL, Broadcast Address, Static Route, Ethernet Encapsulation, X Window Manager, X Window Font, DHCP Msg Type, DHCP Renewal Time, DHCP Rebinding, Time SMTP-Server, SMTP-Server, Client FQDN, Printer Name, …
13
Network Address Translation (NAT)
14
Private Network
• Private IP network : not directly connected to the Internet
• IP addresses in a private network can be assigned arbitrarily. – Not registered and not guaranteed to be globally unique
• Designated private address ranges: – 10.0.0.0 – 10.255.255.255– 172.16.0.0 – 172.31.255.255– 192.168.0.0 – 192.168.255.255
15
Private Network Example
H1
R1
H2
10.0.1.3
10.0.1.1
10.0.1.2
H3
R2
H4
10.0.1.310.0.1.2
Private network 1
Internet
H5
10.0.1.1Private network 1
213.168.112.3
128.195.4.119 128.143.71.21
16
Network Address Translation (NAT)
• Router function at boundary of private network that rewrites [IP,port] fields in incoming and outgoing packets
•Network Layer •4-17
motivation: local network uses just one IP address as far as outside world is concerned: range of addresses not needed from ISP:
just one IP address for all devices can change addresses of devices in local
network without notifying outside world can change ISP without changing addresses
of devices in local network can use translation for load balancing devices inside local net not explicitly
addressable, visible by outside world (a security plus)
NAT: network address translation
•Network Layer •4-18
NAT: network address translation
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
138.76.29.7
local network(e.g., home network)
10.0.0/24
rest ofInternet
datagrams with source or destination in this networkhave 10.0.0/24 address for source, destination (as usual)
all datagrams leaving local
network have same single source NAT IP
address: 138.76.29.7,different source port numbers
•Network Layer •4-19
implementation: NAT router must:
outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #). . . remote clients/servers will respond using (NAT IP
address, new port #) as destination addr
remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
NAT: network address translation
•Network Layer •4-20
10.0.0.1
10.0.0.2
10.0.0.3
S: 10.0.0.1, 3345D: 128.119.40.186, 80
1
10.0.0.4
138.76.29.7
1: host 10.0.0.1 sends datagram to 128.119.40.186, 80
NAT translation tableWAN side addr LAN side addr
138.76.29.7, 5001 10.0.0.1, 3345…… ……
S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4
S: 138.76.29.7, 5001D: 128.119.40.186, 802
2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table
S: 128.119.40.186, 80 D: 138.76.29.7, 5001 3
3: reply arrives dest. address: 138.76.29.7, 5001
4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345
NAT: network address translation
Number of ways of using NAT Static NAT: Translate each private IP
address to a specific IP address Dynamic NAT: Pool of inside global
addresses and matching criteria Port forwarding: redirecting incoming
packets on specific ports to specific internal machine
Overloading: Using a small number of global addresses for much larger number of local addresses
Load balancing: Map same source [IP,port] in incoming packets to different internal servers
•Network Layer •4-21
Cisco’s static NAT terminologyTerm Meaning
Inside Local An address in the private network that is not visible in the public network. More descriptive term: inside private.
Inside Global The address used to represent the inside host in the public network. More descriptive term: inside public.
Outside Global The actual IP address assigned to a host that resides in the outside network (may not be known in the private network).More descriptive term: outside public.
Outside Local The IP address of an outside host as it appears to the inside network. Not necessarily a legitimate address, it is allocated from an address space routable on the inside.Not a popular option.More descriptive term: outside private. •22
23
Load balancing of servers
Private network
Source = 213.168.12.3Destination = 128.143.71.21
NATdevice
PrivateAddress
PublicAddress
10.0.1.2 128.143.71.21
Inside network
10.0.1.4 128.143.71.21
Internet128.143.71.21
S1
S2
S3
10.0.1.4
10.0.1.3
10.0.1.2
PublicAddress
128.195.4.120
Outside network
213.168.12.3
Source = 128.195.4.120Destination = 128.143.71.21
24
Configuring NAT in Linux
• Linux uses the netfilter/iptable package to add filtering rules to the IP module
Incomingdatagram
filterINPUT
Destinationis local?
filterFORW ARD
natOUTPUT
To application From application
Outgoingdatagram
natPOSTROUTING
(SNAT)
No
Yes filterOUTPUT
natPREROUTING
(DNAT)
25
Configuring NAT with iptable
• First example:iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21
• Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30
• ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254
• IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE
• Load balancing:iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
•Network Layer •4-26
16-bit port-number field: ~65K simultaneous connections with
a single LAN-side address! Possible to have ~65K connections to
each WAN-side destination
NAT multiplexing limits
NAT drawbacks/controversies routers should only process up to layer 3,
address shortage ought to be solved by IPv6
violates end-to-end argument NAT possibility must be taken into account by
app designers, e.g., P2P applications Two private network machines can not
communicate directly without third-party support
Performance: checksums need to be recomputed in transport and IP headers
IP fragmentation needs careful handling Breaks apps that embed IP addresses (FTP)
•Network Layer •4-27
•Network Layer •4-28
NAT traversal problem/solutions client wants to connect to
server with address 10.0.0.1 server address 10.0.0.1
local to LAN (client can’t use it as destination addr)
only one externally visible NATed address: 138.76.29.7
solution1: statically configure NAT to forward incoming connection requests at given port to server e.g., (123.76.29.7, port
2500) always forwarded to 10.0.0.1 port 25000
10.0.0.1
10.0.0.4
NAT router
138.76.29.7
client
?
•Network Layer •4-29
NAT traversal problem/solutions solution 2: Universal Plug
and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATed host to: learn public IP address
(138.76.29.7) add/remove port
mappings (with lease times)
i.e., automate static NAT port map configuration
10.0.0.1
NAT router
IGD
•Network Layer •4-30
NAT traversal problem/solutions solution 3: relaying (used in Skype)
NATed client establishes connection to relay external client connects to relay relay bridges packets between to
connections
138.76.29.7
client
1. connection torelay initiatedby NATed host
2. connection torelay initiatedby client
3. relaying established
NAT router
10.0.0.1
Lab 6 review
31
Lab 6- Exercise 5C
•32
Lab 6- Exercise 5C
•33
PC2 PC1
PC3PC4
R1R2R3
R4
0002.e31c.7969000d.56ef.267a
0
0 00
00
0
0
1
1
1 1
1
0009.437a.3560
009.437a.3561
0009.437a.3160
0009.437a.3161
0009.433b.9400
0009.433b.9401
RP
RP RP RP
DP
DPDP
DP
0009.433b.5bc1
0009.433b.8bc0
Root BridgeRoot BridgeNote the path from PC1 to PC4
Lab 6- Exercise 6A
•34
PC2 PC1
PC3PC4
R1R2R3
R4
0002.e31c.7969000d.56ef.267a
0
0 00
00
0
0
1
1
1 1
1
0009.437a.3560
009.437a.3561
0009.437a.3160
0009.437a.3161
0009.433b.9400
0009.433b.9401
RP
RP
RP
DPDP
0009.433b.5bc1
0009.433b.8bc0
Root BridgeRoot Bridge
DP
RP
DP
RP
Lab 6- Exercise 6B
•35
PC2 PC1
PC3PC4
R1R2R3
R4
0002.e31c.7969000d.56ef.267a
0
0 00
00
0
0
1
1
1 1
1
0009.437a.3560
009.437a.3561
0009.437a.3160
0009.437a.3161
0009.433b.9400
0009.433b.9401
RP
RP
RP
RP
DP
DPDP
DP
0009.433b.5bc1
0009.433b.8bc0 Root BridgeRoot Bridge
Lab 6- Exercise 7B
•36
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
10.0.0.0/16
•37
Broadcast Domains
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
10.0.0.0/16
•38
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
PC1 PC3
10.0.0.0/16
•39
Ping succeeds
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
PC1 PC4
10.0.0.0/16
•40
Ping fails
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
PC4 PC1
10.0.0.0/16
•41
Pingsucceeds
RT2
10.0.1.2/24
10.0.3.2/24
10.0.1.0/24
PC110.0.1.11/24
RT1 (Br)
RT4 (Br)
PC310.0.4.31/24
PC4
RT3
PC210.0.3.21/24
10.0.3.3/2410.0.4.3/24
10.0.4.41/16
10.0.3.0/2410.0.4.0/24
PC1 PC2
10.0.0.0/16
•42
Pingsucceeds