18 VPN IPV 6 NAT Mobile IP Last
18: VPN, IPV 6, NAT, Mobile. IP Last Modified: 11/22/2020 4: 17: 07 PM 4: Network Layer 1
Virtual Private Networks (VPN) 4: Network Layer 2
Virtual Private Networks r Definition m A VPN is a private network constructed within the public Internet r Goals m Connect private networks using shared public infrastructure r Examples m Connect two sites of a business m Allow people working at home to have full access to company network m Multicast? Not usually called a VPN for that purpose 4: Network Layer 3
How accomplished? r IP encapsulation and tunneling r Same as we saw for Multicast r Router at one end of tunnel places private IP packets into the data field of new IP packets (could be encrypted first for security) which are unicast to the other end of the tunnel 4: Network Layer 4
Motivations r Economic m Using shared infrastructure lowers cost of networking m Less of a need for leased line connections r Communications privacy m Communications can be encrypted if required m Ensure that third parties cannot use virtual network r Virtualized equipment locations m Hosts on same network do not need to be co-located m Make one logical network out of separate physical networks r Support for private network features m Multicast, protocols like IPX or Appletalk, etc 4: Network Layer 5
Examples r Logical Network Creation r Virtual Dial-Up 4: Network Layer 6
Logical Network Creation Example Network 1 Gateway Tunnel Gateway Internet Network 2 r Remote networks 1 and 2 create a logical network r Secure communication at lowest level 4: Network Layer 7
Virtual Dial-up Example Public Switched Telephone Network (PSTN) Internet Service Provider Gateway Tunnel Gateway Internet Home Network Worker Machine r Worker dials ISP to get basic IP service r Worker creates tunnel to Home Network 4: Network Layer 8
IPv 6 4: Network Layer 9
History of IPv 6 r IETF began thinking about the problem of running out of IP addresses in 1991 r Requires changing IP packet format - HUGE deal! r While we’re at it, lets change X too r “NGTrans” (IPv 6 Transition) Working Group of IETF - June 1996 4: Network Layer 10
IPv 6 Wish List r From “The Case for IPv 6” r Scalable Addressing and Routing r Support for Real Time Services r Support of Autoconfiguration (get your own IP address and domain name to minimize administration r Security Support r Enhanced support for routing to mobile hosts 4: Network Layer 11
IPv 4 Datagram 0 4 Version 8 HLen 16 TOS 31 Length Ident TTL 19 Flags Protocol Offset Checksum Source. Addr Destination. Addr Options (variable) Pad (variable) Data 4: Network Layer 12
IPv 6 Datagram 0 4 Version 12 Traffic. Class Payload. Len 16 24 31 Flow. Label Next. Header Hop. Limit Source. Address Destination. Address Next header/data 4: Network Layer 13
IPv 6 Base Header Format r VERS = IPv 6 r TRAFFICE CLASS: specifies the routing priority r r r or Qo. S requests FLOW LABEL: to be used by applications requesting performance guarantees PAYLOAD LENGTH: like IPv 4’s datagram length, but doesn’t include the header length like IPv 4 NEXT HEADER: indicates the type of the next object in the datagram either type of extension header or type of data HOP LIMIT: like IPv 4’s Time. To. Live field but named correctly NO CHECKSUM (processing efficiency) 4: Network Layer 14
Address Space r 32 bits versus 128 bits - implications? m 4 billiion vesus 3. 4 X 1038 m 1500 addresses per square foot of the earth surface 4: Network Layer 15
Addresses r Still divide address into prefix that designates network and suffix that designates host r But no set classes, boundary between suffix and prefix can fall anywhere (CIDR only) r Prefix length associated with each address 4: Network Layer 16
Addresses Types r Unicast: delivered to a single computer r Multicast: delivered to each of a set of computers (can be anywhere) m Conferencing, subscribing to a broadcast r Anycast: delivered to one of a set of computers that share a common prefix m Deliver to one of a set of machines providing a common servicer 4: Network Layer 17
Address Notation r Dotted sixteen? m 105. 67. 45. 56. 23. 6. 133. 211. 45. 8. 0. 7. 56. 45. 3. 189. 56 r Colon hexadecimal notation (8 groups) m 69 DC: 8768: 9 A 56: FFFF: 0: 5634: 343 r Or even better with zero compression (replace run of all 0 s with double : : ) r Makes host names look even more attractive huh? 4: Network Layer 18
Special addresses r Ipv 4 addresses all reserved for compatibility m 96 zeros + IPv 4 address = valid IPv 6 address r Local Use Addresses m Special prefix which means “this needn’t be globally unique” m Allow just to be used locally m Aids in autoconfiguration 4: Network Layer 19
Datagram Format r Base Header + 0 to N Extension Headers + Data Area 4: Network Layer 20
Extensible Headers r Why? r Saves Space and Processing Time m Only have to allocate space for and spend time processing headers implementing features you need r Extensibility m When add new feature just add an extension header type - no change to existing headers m For experimental features, only sender and receiver need to understand new header 4: Network Layer 21
Flow Label r Virtual circuit like behaviour over a datagram network r A sender can request the underlying network to establish a path with certain requirements • Traffic class specifies the general requirements (ex. Delay < 100 msec. ) r If the path can be established, the network returns an identifier that the sender places along with the traffic class in the flow label r Routers use this identifier to route the datagram along the prearranged path 4: Network Layer 22
ICMPv 6 r New version of ICMP r Additional message types, like “Packet Too Big” r Multicast group management functions 4: Network Layer 23
Summary like IPv 6 m Connectionless (each datagram contains destination address and is routed seperately) m Best Effort (possibility for virtual circuit behaviour) m Maximum hops field so can avoid datagrams circulating indefinitely 4: Network Layer 24
Summary New Features r Bigger Address Space (128 bits/address) m CIDR only m Any cast addresses r New Header Format to help speed processing and forwarding m m Checksum: removed entirely to reduce processing time at each hop No fragmentation r Simple Base Header + Extension Headers m Options: allowed, but outside of header, indicated by “Next Header” field r Ability to influence the path a datagram will take through the network (Quality of service) 4: Network Layer 25
Transition From IPv 4 To IPv 6 r Not all routers can be upgraded simultaneous m no “flag days” m How will the network operate with mixed IPv 4 and IPv 6 routers? r Two proposed approaches: m Dual Stack: some routers with dual stack (v 6, v 4) can “translate” between formats m Tunneling: IPv 6 carried as payload n IPv 4 datagram among IPv 4 routers 4: Network Layer 26
Dual Stack Approach 4: Network Layer 27
Tunneling IPv 6 inside IPv 4 where needed 4: Network Layer 28
6 Bone r The 6 Bone: an IPv 6 testbed r Started as a virtual network using IPv 6 over IPv 4 tunneling/encapsulation r Slowly migrated to native links fo IPv 6 transport r RFC 2471 4: Network Layer 29
Recent History r First blocks of IPv 6 addresses delegated to regional registries - July 1999 r 10 websites in the. com domain that can be reached via an IPv 6 enhanced client via an IPv 6 TCP connection (http: //www. ipv 6. org/v 6 -www. html) - it was 5 a year ago (not a good sign? ) 4: Network Layer 30
IPv 5? r New version of IP temporarily named “IP - The Next Generation” or IPng r Many competing proposals; name Ipng became ambiguous r Once specific protocol designed needed a name to distinguish it from other proposals r IPv 5 has been assigned to an experimental protocol ST 4: Network Layer 31
Network Address Translation (NAT) 4: Network Layer 32
Background r IP defines private intranet address ranges m 10. 0 - 10. 255 (Class A) m 172. 16. 0. 0 - 172. 31. 255 (Class B) m 192. 168. 0. 0 - 192. 168. 255 (Class C) r Addresses reused by many organizations r Addresses cannot be used for communication on Internet 4: Network Layer 33
Problem Discussion r Hosts on private IP networks need to access public Internet r All traffic travels through a gateway to/from public Internet r Traffic needs to use IP address of gateway r Conserves IPv 4 address space m Private IP addresses mapped into fewer public IP addresses m Will this beat Ipv 6? 4: Network Layer 34
Scenario 128. 32. 68 BMRC Server All Private Network hosts must use the gateway IP address 24. 1. 70. 210 Gateway Public Internet Public network IP address, globally unique 10. 0. 0. 1 10. 0. 0. 2 10. 0. 0. 3 10. 0. 0. 4 Host A Private Network Same private network IP addresses may be used by many organizations 4: Network Layer 35
Network Address Translation Solution r Special function on gateway m IP source and destination addresses are translated m Internal hosts need no changes r No changes required to applications r TCP based protocols work well r Non-TCP based protocols more difficult r Provides some security m Hosts behind gateway difficult to reach m Possibly vulnerable to IP level attacks 4: Network Layer 36
NAT Example NAT Gateway TCP Connection 1 Address Translator TCP Connection 1 Server 128. 32. 68 bmrc. berkeley. edu 4: Network Layer 37
TCP Protocol Diagram SYN flag indicates a new TCP connection Client Server IP Header SYN, ACK . . . Checksum Source IP Address Destination IP Address. . . Packet 0: 50 ACK 0: 50 FIN, ACK TCP Header Source Port Number Dest Port Number Sequence Number. . . 4: Network Layer 38
TCP NAT Example PROTO SADDR DADDR SPORT DPORT FLAGS CKSUM TCP 10. 0. 0. 3 128. 32. 68 1049 80 SYN 0 x 1636 1. Host tries to connect to web server at 128. 32. 68. It sends out a SYN packet using its internal IP address, 10. 0. 0. 3. NAT Gateway PROTO SADDR DADDR SPORT DPORT FLAGS CKSUM TCP 128. 32. 68 10. 0. 0. 3 80 1049 SYN, ACK 0 x 7841 TCP 24. 1. 70. 210 128. 32. 68 40960 80 SYN 0 x 2436 2. NAT gateway sees SYN flag set, adds new entry to its translation table. It then rewrites the packet using gateway’s external IP address, 24. 1. 70. 210. Updates the packet checksum. 2 1 10. 0. 0. 3 PROTO SADDR DADDR SPORT DPORT FLAGS CKSUM Internet 3 4 10. 0. 0. 1 24. 1. 70. 210 NAT Translation Table Client IPAddr Port 10. 0. 0. 3 1049. . . 4. NAT gateway looks in its translation table, finds a match for the source and destination addresses and ports, and rewrites the packet using the internal IP address. Server IPAddr Port 128. 32. 68 80. . . NATPort 40960. . PROTO SADDR DADDR SPORT DPORT FLAGS CKSUM Server 128. 32. 68 TCP 128. 32. 68 24. 1. 70. 210 80 40960 SYN, ACK 0 x 8041 3. Server responds to SYN packet with a SYN, ACK packet. The packet is sent to the NAT gateway’s IP address. 4: Network Layer 39
Load Balancing Servers with NAT Public Internet Server NAT ay Gatew l a (Virtu r) Server Private Intranet Server r Single IP address for web server r Redirects workload to multiple internal servers 4: Network Layer 40
Load Balancing Networks with NAT Service Provider 1 Private Intranet NAT Gateway Network X Service Provider 2 r Connections from Private Intranet split across Service Providers 1 and 2 r Load balances at connection level m Load balancing at IP level can cause low TCP throughput 4: Network Layer 41
NAT Discussion r NAT works best with TCP connections r NAT breaks End-to-End Principle by modifying packets r Problems m Connectionless UDP (Real Audio) m ICMP (Ping) m Multicast m Applications use IP addresses within data stream (FTP) r Need to watch/modify data packets 4: Network Layer 42
Mobile. IP 4: Network Layer 43
Mobile. IP r Goal: Allow machines to roam around and maintain IP connectivity r Problem: IP addresses => location m This is important for efficient routing r Solutions? m DHCP? • ok for relocation but not for ongoing connections m Dynamic DNS (mobile nodes update name to IP address mapping as they move around)? • ok for relocation but not for ongoing connections 4: Network Layer 44
Mobile IP r Allows computer to roam and be reachable r Basic architecture m Home agent (HA) on home network m Foreign agent (FA) at remote network location m Home and foreign agents tunnel traffic m Non-optimal data flow 4: Network Layer 45
Mobile. IP r Mobile nodes have a permanent home address and a default local router called the “home agent” r The router nearest a nodes current location is called the “foreign agent” m Register with foreign agent when connect to network m Located much like the DHCP server 4: Network Layer 46
Forwarding Packets r Home agent impersonates the mobile host by changing the mapping from IP address to hardware address (“proxy ARP”) r Sends any packets destined for mobile host on to the foreign agent with IP encapsulation r Foreign agent strips off and does a special translation of the mobile nodes IP address to its current hardware address 4: Network Layer 47
Mobile IP Example Foreign Agent Register Mobile Node 169. 229. 2. 98 18. 86. 0. 253 1. The Mobile Node registers itself with the Foreign Agent on the Foreign Subnet. The Foreign Agent opens an IP-IP tunnel to the Home Agent. The Home Agent begins listening for packets sent to 169. 229. 2. 98. 2. The Fixed Node initiates a connection to the Mobile Node. It sends packets to the Mobile Node’s home IP address, 169. 229. 2. 98. The packets are routed to the Home Subnet. Foreign Subnet Fixed Node Internet 128. 95. 4. 112 3. The Home Agent receives them, encapsulates them in IP-IP packets, and it sends them to the Foreign Agent. Encapsulated packets are addressed to 18. 86. 0. 253. 4. The Foreign Agent decapsulates the IP-IP packets, and it sends them out on the Foreign Subnet. These packets will be addressed to 169. 229. 2. 98. Home Subnet Home Agent 169. 229. 2. 97 5. The Mobile Node receives the packets, and it sends responses directly to the Fixed Node at 128. 95. 4. 112. 4: Network Layer 48
Avoiding the Foreign Agent r Mobile host can also obtain a new IP address on the remote network and inform the home agent r The home agent can then resend the packet to the new IP address 4: Network Layer 49
Optimizations r What if two remote hosts are temporarily close together r If they want to send traffic to each other, why should it have to go all the way to their home agents and back again r Optimizations exist to allow the sending node to learn and cache the current location of a recipient to avoid this problem 4: Network Layer 50
Roadmap r Finished with the network layer and IP specifics r Next on to the link layer r If two hosts are on the same network how do they send data directly to one another 4: Network Layer 51
- Slides: 51