CIT 384 Network Administration NAT CIT 384 Network

CIT 384: Network Administration NAT CIT 384: Network Administration 1

Topics 1. 2. 3. 4. 5. 6. IP Address Exhaustion Solutions: CIDR, Reclamation, NAT, IPv 6 Static NAT Dynamic NAT PAT DHCP CIT 384: Network Administration 2

Address Classes Class A: 0. 0 -127. 255 8 -bit net ID, 24 -bit host ID 224 – 2 hosts per network; 126 networks Class B: 128. 0. 0. 0 -191. 255 16 -bit net ID, 16 -bit host ID 216 – 2 hosts per network; 16, 384 networks Class C: 192. 0. 0. 0 -223. 255 24 -bit net ID, 8 -bit host ID (28 – 2) = 254 hosts per network; 2, 097, 152 networks Class D: 224. 0. 0. 0 -239. 255 28 -bit multicast group ID Class E: 240. 0 -255. 255 Reserved for future use CIT 384: Network Administration 3

Public IP Addresses ICANN assigns network numbers. – Internet Corporation for Assigned Network Numbers. – ICANN gives authority to regional orgs, e. g. ARIN (American Registry for Internet Numbers) – Typically to ISPs, universities, corporations. ISP assigns IP addresses within network CIT 384: Network Administration 4

IPv 4 Address Exhaustion Classful addressing is wasteful – <1% of most class As are in use – Most class Bs aren’t fully used either. – All IP addresses were going to be used by 1990 s. Solutions – CIDR – NAT – IPv 6 CIT 384: Network Administration 5

CIDR Classless Inter-Domain Routing – Classful routing wastes most IP addresses. – Allocate addresses on bit boundaries instead of byte boundaries. – Allow ISPs/users to decide on boundaries instead of basing on IP addresses. Prefix notation – /x indicates that first x bits are shared. – 192. 168. 0. 0/16 = 192. 168. 0. 0 – 192. 168. 255 CIT 384: Network Administration 6

IPv 4 Address Conservation Reclaim unused addresses – Some address blocks owned by companies that are out of business. Reclaim underused blocks – Take class As away from current owners, and subdivide with CIDR. – Requires owners to renumber all machines. Start using class E addresses – Windows TCP/IP stack can’t use class E addrs. CIT 384: Network Administration 7

NAT Network Address Translation – Use RFC 1918 private addresses internally. – Use public IP addresses externally. – Use router to translate between int + ext IP addresses. Private IP Networks Network Class Count of Networks 10. 0 A 1 172. 16. 0. 0 through B 16 172. 31. 0. 0 192. 168. 0. 0 through 192. 168. 255. 0 C CIT 384: Network Administration 256 8

IPv 4 vs IPv 6 Addresses Feature Size of Address Example Address IPv 4 32 bits 10. 1. 1. 1 IPv 6 128 bits 0000: FFFF: FFFF : 0 A 01: 0101 Abbreviated Address Localhost Possible Addresses - : : FFFF: 0 A 01: 0101 : : 1/128 2128 (~3. 4 x 1038) 127. 0. 0. 1 232 (~4 billion) CIT 384: Network Administration 9

NAT Concepts Uses public IP addr to represent private IP. – Translates source IP in outgoing packets. – Translates dest IP in incoming packets. – Router keeps table of translations. CIT 384: Network Administration 10

Static NAT CIT 384: Network Administration 11

Static NAT Maps one internal IP to one external IP – Need one public IP for each private IP – Does not reduce # of IPv 4 addresses needed Applications – Useful if internal addresses overlap another organization’s IP addresses. CIT 384: Network Administration 12

Cisco NAT Terminology inside local: IP addresses used on internal network. inside global: public IP addresses that are used to represent inside local addresses on the outside net. CIT 384: Network Administration 13

Cisco NAT Terminology Inside local: Actual IP address assigned to a host in the private enterprise network. Inside global: A NAT router changes source IP from inside local to inside global. Inside global addresses can be used for routing on the public network. Outside global: Actual IP address assigned to a host that resides in the outside network. Outside local: NAT can also translate outside global addresses to outside local addresses. CIT 384: Network Administration 14

Dynamic NAT Creates one-to-one address mapping – Dynamic mapping on an as-needed basis. – Mappings expire when not in use. – Allows many internal hosts to use a small pool of n external addresses, as long as no more than n internal hosts need to access Internet at once. Applications – IP address conservation. – Useful if internal addresses overlap another organization’s IP addresses and limited external addresses. CIT 384: Network Administration 15

Dynamic NAT CIT 384: Network Administration 16

Dynamic NAT 1. Host 10. 1. 1. 1 sends first pkt to 170. 1. 1. 1. 2. Router adds NAT table entry. 1. Router checks if NAT is needed or not. Since pkt is from inside local to inside global, NAT is needed. 2. Router adds entry for inside local 10. 1. 1. 1. 3. NAT router allocates IP from pool. 1. Picks first available address (200. 1. 1. 1) 2. Adds this inside global address to table entry. 4. NAT router translates source IP + forwards. CIT 384: Network Administration 17

Port Address Translation Dynamic NAT saves some IP addresses – If 10% of machines use Internet at once, can use a 10: 1 ratio of internal to external IP addresses. – Dynamic. NAT will deny access if too few ext IPs. – What if we could improve that by 216? Rewrite source ports as well as source IPs. – Source port is random high port for outgoing pkts – Use diff src port for each connection to outside. – NAT table contains connections, not just IPs. CIT 384: Network Administration 18

Normal Port Usage CIT 384: Network Administration 19

PAT NAT Table – Maps inside local IP address + port – to outside local IP address + port CIT 384: Network Administration 20

Bidirectional NAT CIT 384: Network Administration 21

Bidirectional NAT Applications Translating overlapping IP ranges. – Useful during mergers or bad numbering. Load balancing – Translate single server IP address to address of one of many identical servers. Failover – If server is down, add NAT entry to redirect to replacement server. Transparent proxying – Redirect HTTP connections for caching or security reasons without configuring proxy in browser. CIT 384: Network Administration 22

NAT Complications Checksum recalculation – Changing address field invalidates CRC. – Router recalculates IP + higher layer checksums. – Fragments must be reassembled too. Layer mixing – Some apps (ftp) send network layer data in application layer packets (port + IP for ftp. ) – NAT must sniff packets to get this information, then translate app layer data too. CIT 384: Network Administration 23

NAT Problems NAT breaks some applications – Add complexity to router to fix important apps. – Other apps may remain broken. NAT reduces performance – Especially due to features for special apps. Breaks end-to-end nature of Internet – All hosts do not have equal access. – Limits ability to run servers and certain apps. CIT 384: Network Administration 24

DHCP Dynamic Host Configuration Protocol – Standard introduced in 1993 with RFC 1531. – Replaced RARP and BOOTP. Configures network params for clients. – IP address. – Default route. – Server addresses (DNS, NIS, tftp, etc. ) – MTU, TTL, etc. CIT 384: Network Administration 25

DHCP Conversation 1. Client sends broadcast to discover DHCP svrs. 2. DHCP server broadcasts offer. 3. DHCP client broadcasts request telling server which IP addr it wants. 4. DHCP server acks request, notifying that IP addr reserved. CIT 384: Network Administration 26

Address Allocation Dynamic – Host given “lease” on IP address for a specified period of time. – Clients can releases. – Clients can ask for lease to a specific IP addr. Automatic – Address permanently assigned to client. Manual – Address selected by the client. CIT 384: Network Administration 27

DHCP Security Unauthorized servers – Any server can respond to DHCP broadcast. – Client typically uses first message received. – Malicious server can control client DNS, routes. Unauthorized clients – Masquerade MAC address to pretend to be a legitimate client to learn IP addresses of router and important servers. DHCP authentication in RFC 3118 CIT 384: Network Administration 28

References 1. 2. 3. 4. 5. 6. Neall Alcott, DHCP for Windows 2000, O’Reilly, 2001. James Boney, Cisco IOS in a Nutshell, 2 nd edition, O’Reilly, 2005. Cisco, Cisco Connection Documentation, http: //www. cisco. com/univercd/home. htm Cisco, Internetworking Basics, http: //www. cisco. com/univercd/cc/td/doc/cisintwk/ito_do c/introint. htm Matthew Gast, 802. 11 Wireless Networks: The Definitive Guide, O’Reilly, 2005. Wendell Odom, CCNA Official Exam Certification Library, 3 rd edition, Cisco Press, 2007. CIT 384: Network Administration 29