© MMII JW Ryder CS 428 Computer Networking 1
Private Network Interconnection
VPN - Virtual Private Networks NAT - Network Address Translation Describe a 2-level internet architecture
Private internet connected by public internet/Internet
© MMII JW Ryder CS 428 Computer Networking 2
Private/Hybrid Networks Major drawback to single level architecture ->
lack of privacy 2 levels distinguish between internal and
external datagrams Goal is to keep internal datagrams private
while still allowing external communications
© MMII JW Ryder CS 428 Computer Networking 3
Private Networks Easiest way to guarantee privacy is completely
private network aka private network Use routers to interconnect networks at each
site and leased digital circuits to interconnect sites
Since no outside access can use own IP addressing scheme
© MMII JW Ryder CS 428 Computer Networking 4
Hybrid Networks Gives advantages of both private and and
global Internet connectivity Must use globally valid IP addresses Connect each site to the Internet See hybrid architecture in figure 20.1 on page
390
© MMII JW Ryder CS 428 Computer Networking 5
VPN Chief disadvantage of both private and hybrid
networks is high cost leased lines (T1+) are expensive
Can lower cost by using alternative technologies (frame relay, ATM) or simply connect to the global Internet
Connecting to global Internet could remove privacy
© MMII JW Ryder CS 428 Computer Networking 6
VPN
Big Question - How to keep the privacy but keep Internet connectivity?
Two techniques make VPN possible Tunneling Encryption
Define a tunnel across the Internet between a router on one side and a router on the other
Use IP-in-IP encapsulation in tunnel
© MMII JW Ryder CS 428 Computer Networking 7
VPN See tunnel figure 20.2 on page 391 Entire inner datagram including the IP
header is encrypted before being placed as the data in the outer datagram
Describe flow “A VPN sends data across the Internet, but
encrypts intersite transmissions to guarantee privacy” page 392
© MMII JW Ryder CS 428 Computer Networking 8
VPN Addressing Offers an organization same addressing as
private network if hosts do not need Internet connectivity
If hosts need Internet connectivity then hybrid approach can be used
In either case the routers that interface with the Internet always need valid IP addresses
See figure 20.4 on page 393
© MMII JW Ryder CS 428 Computer Networking 9
VPN Addressing How can a host provide access to the global
Internet without assigning each host a valid IP address?
2 general methodsApplication GatewaysNetwork Address Translation
© MMII JW Ryder CS 428 Computer Networking 10
Application Gateways Offers hosts access to Internet services without
offering IP level access Each site has a multi-homed host with a
connection to both the Internet and the private network
MHH runs a set of programs called Application Gateways
© MMII JW Ryder CS 428 Computer Networking 11
Application Gateways Each AG handles 1 service Hosts send datagrams to AG on MHH MHH accesses the service on the Internet MHH relays responses back to host on private
network Example: E-mail gateway
© MMII JW Ryder CS 428 Computer Networking 12
Application Gateways
Advantage - ability to work without changing underlying structure of private network
Disadvantage - lack of generality“Each application gateway handles only one
specific service; multiple gateways are required for multiple services.”
AGs do NOT solve problem in a general way
© MMII JW Ryder CS 428 Computer Networking 13
NAT Requires a site to have a single connection
to the Internet and one valid IP address G G assigned to a MHH connected to the
Internet that runs NAT software A computer running NAT software is
known as a NAT Box All datagrams flow through NAT box
© MMII JW Ryder CS 428 Computer Networking 14
NAT NAT translates both outgoing and incoming
addresses Outgoing
Replace source address with G Incoming
Replace destination address with private address of host
© MMII JW Ryder CS 428 Computer Networking 15
External view - All datagrams come from and go to the NAT box
Internal view - NAT box appears as a router to the Internet
Chief advantage - Combination of generality and transparency
NAT
© MMII JW Ryder CS 428 Computer Networking 16
NAT More general than AGs - Allows arbitrary
internal host to access arbitrary service on a host on the Internet
Transparency - Allows internal host to send and receive datagrams using a private IP address
“NAT technology provides transparent IP-level access to the Internet from a host with a private address.”
© MMII JW Ryder CS 428 Computer Networking 17
NAT Translation Each entry specifies 2 items
IP address of host on Internet IP address of host on private network
Example incoming/outgoing Table must be in place before datagram arrives
in from InternetWhy?
© MMII JW Ryder CS 428 Computer Networking 18
NAT Translation How/When is table initialized
Manual - network administratorOutgoing Datagrams - sie effect of sending
datagrams Incoming DNS lookup - side effect of DNS lookup
When host on Internet does a DNS lookup of internal host, DNS software creates entry in translation table then answers request by sending G
© MMII JW Ryder CS 428 Computer Networking 19
NAT Translation Manual
Advantage - IP datagrams in either direction any time Outgoing
Advantage - Automatic Disadvantage – Comm. can’t be initialized by outside
Incoming DNS lookups Requires modifying DNS software Accommodates initiating communication from outside Only works if DNS used
© MMII JW Ryder CS 428 Computer Networking 20
NAT Mot implementations use outgoing method Example on figure 20.5 on page 396 NAT permits ISP to assign private addresses
© MMII JW Ryder CS 428 Computer Networking 21
Multi-Address NAT NAT described so far allows a single host on
private network to access a single Internet siteWhat if 2 local hosts want to access single Internet
host? External Address Concurrency
© MMII JW Ryder CS 428 Computer Networking 22
Assign NAT box multiple GsMultiple accesses of same Internet host maps
different GsStill finite number of concurrent accesses
Multi-Address NAT
© MMII JW Ryder CS 428 Computer Networking 23
Port-Mapped NAT Translate TCP or UDP protocol port numbers
too Sometimes known as Network Address Port
Translation (NAPT) Additional table fields
Pair of source/destination protocol port numbersProtocol port number used by NAT box
© MMII JW Ryder CS 428 Computer Networking 24
Port-Mapped NAT See figure 20.6 on page 397 10.0.0.5 and 10.0.0.1 have unique source port
numbers but this is NOT guaranteedMaybe they choose same number - application can
select it To avoid - NAT assigns unique port number to
each Internet communication
© MMII JW Ryder CS 428 Computer Networking 25
Port-Mapped NAT TCP 4-tuple to represent IP address and port
number Before sending
(10.0.0.5,21023,128.10.19.20,80) (10.0.0.1,386,128.10.19.20,80)
After NAPT translation (G,14003,128.10.19.20,80) (G,14010,128.10.19.20,80)
© MMII JW Ryder CS 428 Computer Networking 26
Port-Mapped NAT Advantage - Generality with single valid IP
address Disadvantage - Restricts use to TCP or UDP “Several variants of NAT exist, including the
popular NAPT form that translates protocol port numbers as well as IP addresses.”
© MMII JW Ryder CS 428 Computer Networking 27
NAT and ICMP “Straight-forward” changes to IP addresses can cause
unexpected problems in higher layer protocols NAT doesn’t forward all ICMP messages arriving
from Internet Example - If routes in NAT box are incorrect, an
ICMP redirect message must be handled locally not sent internally to some other host
Before forwarding to internal host NAT translates ICMP message
© MMII JW Ryder CS 428 Computer Networking 28
NAT and ICMP So, NAT must decide whether ICMP
message to be forwarded in or handled locally
ICMP destination unreachable message IP header returned containing source
address but G is in it not internal source
© MMII JW Ryder CS 428 Computer Networking 29
NAT box must first translate address and place it into the ICMP message ICMP Checksum in now incorrect and one in
datagram outer header!!!!This must now be recomputed
NAT and ICMP
© MMII JW Ryder CS 428 Computer Networking 30
NAT and Applications Pure NAPT doesn’t work with applications
that send IP addresses and port numbers as data
FTP - TCP application One program obtains port number on local
machine, converts it to ASCII and sends it to other host to create TCP connection
© MMII JW Ryder CS 428 Computer Networking 31
NAT and Applications NAPT would need to inspect all data and
translate as needed for every application protocol as it is designed!
NAT supports main application protocol such as FTP and Telnet but not allCertainly not out home grown applications
© MMII JW Ryder CS 428 Computer Networking 32
Summary VPNs guarantee privacy but are expensive 2 main technologies used to implement VPN
Application GatewaysNAT