Private Network Interconnection

Private Network Interconnection VPN - Virtual Private Networks  NAT - Network Address Translation  Describe a 2-level internet architecture 

 Private

internet connected by public internet/Internet

© MMII JW Ryder

CS 428 Computer Networking

1

Private/Hybrid Networks Major drawback to single level architecture -> lack of privacy  2 levels distinguish between internal and external datagrams  Goal is to keep internal datagrams private while still allowing external communications 

© MMII JW Ryder

CS 428 Computer Networking

2

Private Networks Easiest way to guarantee privacy is completely private network aka private network  Use routers to interconnect networks at each site and leased digital circuits to interconnect sites  Since no outside access can use own IP addressing scheme 

© MMII JW Ryder

CS 428 Computer Networking

3

Hybrid Networks Gives advantages of both private and and global Internet connectivity  Must use globally valid IP addresses  Connect each site to the Internet  See hybrid architecture in figure 20.1 on page 390 

© MMII JW Ryder

CS 428 Computer Networking

4

VPN 

Chief disadvantage of both private and hybrid networks is high cost  leased

lines (T1+) are expensive

Can lower cost by using alternative technologies (frame relay, ATM) or simply connect to the global Internet  Connecting to global Internet could remove privacy 

© MMII JW Ryder

CS 428 Computer Networking

5

VPN 



Big Question - How to keep the privacy but keep Internet connectivity? Two techniques make VPN possible Tunneling  Encryption 





Define a tunnel across the Internet between a router on one side and a router on the other Use IP-in-IP encapsulation in tunnel

© MMII JW Ryder

CS 428 Computer Networking

6

VPN See tunnel figure 20.2 on page 391  Entire inner datagram including the IP header is encrypted before being placed as the data in the outer datagram  Describe flow  “A VPN sends data across the Internet, but encrypts intersite transmissions to guarantee privacy” page 392 

© MMII JW Ryder

CS 428 Computer Networking

7

VPN Addressing Offers an organization same addressing as private network if hosts do not need Internet connectivity  If hosts need Internet connectivity then hybrid approach can be used  In either case the routers that interface with the Internet always need valid IP addresses  See figure 20.4 on page 393 

© MMII JW Ryder

CS 428 Computer Networking

8

VPN Addressing How can a host provide access to the global Internet without assigning each host a valid IP address?  2 general methods 

 Application

Gateways  Network Address Translation

© MMII JW Ryder

CS 428 Computer Networking

9

Application Gateways Offers hosts access to Internet services without offering IP level access  Each site has a multi-homed host with a connection to both the Internet and the private network  MHH runs a set of programs called Application Gateways 

© MMII JW Ryder

CS 428 Computer Networking

10

Application Gateways Each AG handles 1 service  Hosts send datagrams to AG on MHH  MHH accesses the service on the Internet  MHH relays responses back to host on private network  Example: E-mail gateway 

© MMII JW Ryder

CS 428 Computer Networking

11

Application Gateways Advantage - ability to work without changing underlying structure of private network  Disadvantage - lack of generality 

 “Each

application gateway handles only one specific service; multiple gateways are required for multiple services.”



AGs do NOT solve problem in a general way

© MMII JW Ryder

CS 428 Computer Networking

12

NAT Requires a site to have a single connection to the Internet and one valid IP address G  G assigned to a MHH connected to the Internet that runs NAT software  A computer running NAT software is known as a NAT Box  All datagrams flow through NAT box 

© MMII JW Ryder

CS 428 Computer Networking

13

NAT NAT translates both outgoing and incoming addresses  Outgoing 

 Replace



source address with G

Incoming  Replace

destination address with private address of

host © MMII JW Ryder

CS 428 Computer Networking

14

NAT External view - All datagrams come from and go to the NAT box  Internal view - NAT box appears as a router to the Internet  Chief advantage - Combination of generality and transparency 

© MMII JW Ryder

CS 428 Computer Networking

15

NAT More general than AGs - Allows arbitrary internal host to access arbitrary service on a host on the Internet  Transparency - Allows internal host to send and receive datagrams using a private IP address  “NAT technology provides transparent IP-level access to the Internet from a host with a private address.” 

© MMII JW Ryder

CS 428 Computer Networking

16

NAT Translation 

Each entry specifies 2 items  IP

address of host on Internet  IP address of host on private network

Example incoming/outgoing  Table must be in place before datagram arrives in from Internet 

 Why?

© MMII JW Ryder

CS 428 Computer Networking

17

NAT Translation 

How/When is table initialized  Manual

- network administrator  Outgoing Datagrams - sie effect of sending datagrams  Incoming DNS lookup - side effect of DNS lookup  When

host on Internet does a DNS lookup of internal host, DNS software creates entry in translation table then answers request by sending G

© MMII JW Ryder

CS 428 Computer Networking

18

NAT Translation 





Manual  Advantage - IP datagrams in either direction any time Outgoing  Advantage - Automatic  Disadvantage – Comm. can’t be initialized by outside Incoming DNS lookups  Requires modifying DNS software  Accommodates initiating communication from outside  Only works if DNS used

© MMII JW Ryder

CS 428 Computer Networking

19

NAT Mot implementations use outgoing method  Example on figure 20.5 on page 396  NAT permits ISP to assign private addresses 

© MMII JW Ryder

CS 428 Computer Networking

20

Multi-Address NAT 

NAT described so far allows a single host on private network to access a single Internet site  What

if 2 local hosts want to access single Internet

host? 

External Address Concurrency

© MMII JW Ryder

CS 428 Computer Networking

21

Multi-Address NAT  Assign

NAT box multiple Gs  Multiple accesses of same Internet host maps different Gs  Still finite number of concurrent accesses

© MMII JW Ryder

CS 428 Computer Networking

22

Port-Mapped NAT Translate TCP or UDP protocol port numbers too  Sometimes known as Network Address Port Translation (NAPT)  Additional table fields 

 Pair

of source/destination protocol port numbers  Protocol port number used by NAT box © MMII JW Ryder

CS 428 Computer Networking

23

Port-Mapped NAT See figure 20.6 on page 397  10.0.0.5 and 10.0.0.1 have unique source port numbers but this is NOT guaranteed 

 Maybe

they choose same number - application can select it



To avoid - NAT assigns unique port number to each Internet communication

© MMII JW Ryder

CS 428 Computer Networking

24

Port-Mapped NAT TCP 4-tuple to represent IP address and port number  Before sending 

 (10.0.0.5,21023,128.10.19.20,80)  (10.0.0.1,386,128.10.19.20,80)



After NAPT translation  (G,14003,128.10.19.20,80)  (G,14010,128.10.19.20,80)

© MMII JW Ryder

CS 428 Computer Networking

25

Port-Mapped NAT Advantage - Generality with single valid IP address  Disadvantage - Restricts use to TCP or UDP  “Several variants of NAT exist, including the popular NAPT form that translates protocol port numbers as well as IP addresses.” 

© MMII JW Ryder

CS 428 Computer Networking

26

NAT and ICMP 







“Straight-forward” changes to IP addresses can cause unexpected problems in higher layer protocols NAT doesn’t forward all ICMP messages arriving from Internet Example - If routes in NAT box are incorrect, an ICMP redirect message must be handled locally not sent internally to some other host Before forwarding to internal host NAT translates ICMP message

© MMII JW Ryder

CS 428 Computer Networking

27

NAT and ICMP So, NAT must decide whether ICMP message to be forwarded in or handled locally  ICMP destination unreachable message  IP header returned containing source address but G is in it not internal source 

© MMII JW Ryder

CS 428 Computer Networking

28

NAT and ICMP 

NAT box must first translate address and place it into the ICMP message  ICMP

Checksum in now incorrect and one in datagram outer header!!!!  This must now be recomputed

© MMII JW Ryder

CS 428 Computer Networking

29

NAT and Applications Pure NAPT doesn’t work with applications that send IP addresses and port numbers as data  FTP - TCP application  One program obtains port number on local machine, converts it to ASCII and sends it to other host to create TCP connection 

© MMII JW Ryder

CS 428 Computer Networking

30

NAT and Applications NAPT would need to inspect all data and translate as needed for every application protocol as it is designed!  NAT supports main application protocol such as FTP and Telnet but not all 

 Certainly

© MMII JW Ryder

not out home grown applications

CS 428 Computer Networking

31

Summary VPNs guarantee privacy but are expensive  2 main technologies used to implement VPN 

 Application

Gateways

 NAT

© MMII JW Ryder

CS 428 Computer Networking

32