Recall Chapter 3 :

1

Recall Chapter 3:

Figure 3.2

We need an addressing system that separately identifies the destination network and the destination host

so that routers can forward on basis of destination network.

Each network needs a distinct network address.

2

Recall Chapter 4: every physical network has to have its own unique IPv4 network address (class A, B, or C)

Figure 4.1

The classful system is rigid and wasteful of the IP address space.

Efforts to utilize the IPv4 address space more efficiently and delay exhaustion:

► 1987 subnetting (chapter 9A)

► 1993 supernetting (chapter 9B)

► 2000 network address translation (chapter 19)

With the advent of Local Area Networks and growth of the Internet, it became clear that the IPv4 address space would “soon” become exhausted.

3

Chapter 9 – Classless and Subnet Address Extensions (CIDR)

9.3 Minimizing Network Numbers

We have been assuming that every physical network had its own class A, B, or C IP network prefix.

UAB has class B network address 138.26.0.0

But there is clearly more than one physical network on campus!

9.5 Subnet Addressing

This became a required part of IP in 1987.

Individual sites have the freedom to modify addresses and routes as long as the modifications remain invisible to other sites.

A site can choose to use IP addresses in unusual ways internally as long as:

► all hosts and routers at the site agree to honor the site’s addressing scheme;

► other sites on the Internet can treat addresses as a network prefix and a host suffix.

4

9.5 Subnet Addressing - continued

Example:

Site with class B address 128.10.0.0 has two physical networks - subnets

Only router R knows that there are multiple physical networks at the site and how to forward traffic among them; all other routers in the Internet forward traffic as if there were a single physical network at the site.

Figure 9.2

5

9.5 Subnet Addressing - continued

In this example the local site has chosen to use the third octet of the address to distinguish between the two networks.

“Subnetting on the basis of the 3rd octet”

6

9.5 Subnet Addressing – continued

Relationship to original “classful” addressing system

Figure 9.3

Original classful IP addressing

With subnet addressing

Hierarchical routing:

Routers in other autonomous systems use only the Internet part;

Routers within this autonomous system also use the additional octet;

Final delivery to host also uses the remaining octet.

subnet

7

9.6 Flexibility in Subnet Assignment

Subnetting on the basis of the third octet is not the only possibility. Consider this intranet:

Figure 9.4

Need 5 subnets - How could subnet addressing be performed?

8

9.6 Flexibility in Subnet Assignment – continued

The number of bits allocated to the subnet can be chosen to fit the situation.

Slice up the pie for a class-B address:

9

In this example, allocating 3 bits would allow 6 subnets (23 – 2), each

with up to 8190 (213 – 2) hosts.

( -2 because we do not assign all-zeros or all-1s to hosts or subnets)

Figure 9.4

10

9.8 Implementation of Subnets with Masks

The division of the 32-bit IP address for subnetting is controlled by the

32-bit subnet mask or address mask

Network + subnet part Host part

We use dotted decimal notation to represent this as

255 . 255 . 255 . 0

To extract the (network + subnet) part of an IP destination address (as needed for routing within intranet):

<destination IP address> .AND. <subnet mask>

For example, subnetting on the basis of the third octet is represented by

11111111 11111111 11111111 00000000

11

Recall from chapter 7 – Forwarding IP Datagrams:

Figure 7.2

12

9.11 The Subnet Forwarding Algorithm

Before subnetting, the rows of the routing table contained duples

<destination network address> <next hop>

We extracted the destination network address from the 32-bit datagram destination address by looking at the first 1, 2, or 3 bits, to identify if the destination host was connected to a class A, B, or C network.

With subnetting it is no longer possible for internal routers to deduce the destination network address on the basis of the datagram destination address alone.

We have to expand our routing table rows to triples

<address mask> <destination network address> <next hop>

and revise the forwarding algorithm used in the intranet.

13

9.12 A Unified Forwarding Algorithm

Recall the Chapter 7 forwarding algorithm:

Figure 7.3

This algorithm has to be modified to account for subnetting.

Before subnetting we could determine N from destination IP address alone

14

9.12 A Unified Forwarding Algorithm – continued

Figure 9.7

Only the internal routers have to be modified, since subnetting is invisible to outsiders.

New step

This also needs to be ANDed with the address mask

15

9.12 A Unified Forwarding Algorithm

Recall the Chapter 7 forwarding algorithm:

Figure 7.3

What happened to these special cases?

16

9.12 A Unified Forwarding Algorithm – continued

What happened to the special cases in figure 7.3?

Default route: use address mask 0 . 0 . 0 . 0with destination network address 0 . 0 . 0 . 0

table row will be

<address mask> <destination network address> <next hop> 0 . 0 . 0 . 0 0 . 0 . 0 . 0 next hop for

default route

(because any ID ANDed with 0 . 0 . 0 . 0 gives 0 . 0 . 0 . 0)

Default route must be last row in forwarding table.

Host-specific route: use address mask 255.255.255.255

17Figure 9.4

.254

.253 .252

.254

.253 .252

Class B address 138.26.0.0

All subnet masks 255.255.255.0

138.26.1.0

138.26.2.0

.1

138.26.3.0

18

9.13 Maintenance of Subnet Masks

Subnet masks are assigned by the network administrator.

19

9.14 Broadcasting to Subnets

Recall special forms of IP address from chapter 4:

Following this, we interpret an IP address

<network part> <subnet part> 111…11

as indicating broadcast to all hosts on <subnet>

Figure 4.4

20

9.15 Anonymous Point-to-Point Networks

A typical situation for a router in a wide-area network is that once an exit interface has been chosen, there is only one possible destination.

In this situation we don’t need to waste an IP network prefix

and don’t need to ARP.

21

9.15 Anonymous Point-to-Point Networks - continued

Figure 9.8(b) routing table in R1

There is no need for a “next hop” – the exit interface is sufficient.

22

NAT provides IP-level access between hosts at a site and the rest of the Internet, without requiring each host at the site to have a globally-valid IP address (can use private, non-unique addresses eg. 192.168.1.1 )

Allows an internal host to access service on an external computer.

The site must have a single router, with at least one globally-valid IP address, G, connecting to the Internet. This router runs the NAT software.

Chapter 19 – Private Network Connection (NAT, VPN)

All datagrams pass through the “NAT box” on their way to or from the Internet.

19.6 Network Address Translation

Like subnetting, NAT was motivated by a shortage of IPv4 addresses

23

Outgoing datagrams: NAT replaces the (private) source address with G

NAT

24

Reply datagram will arrive at G - how does router/NAT know which internal host should receive the datagram?

NAT maintains a translation table that it uses to perform the mapping.Entry in table:

IP address of the external server, IP address of internal client

NAT

NAT converts destination address G to private address 192.168.1.1 and forwards the datagram.

25

19.7 NAT Translation Table Creation

How is the translation table constructed? 3 possibilities:

► Manual Initialization

► Outgoing Datagrams

this is the “classic” method – when datagram arrives at the internal NAT interface, the router records the (internal)

source address and the (external) destination address. This method does not allow contact to be initiated from outside

(may not be a bad thing – security)

► Incoming Name Lookups table is built as a side-effect of handling incoming DNS lookups

(possible only if organization is running a DNS server and is willing to have external access).

26

19.7 NAT Translation Table Creation – continued

“Outgoing datagram” method popular among ISPs

Figure 19.4

27

19.8 Multi-Address NAT

Problem: What if two internal hosts are accessing the same external server at the same time?

Translation table, with entries

IP address of the external server, IP address of internal client

will be ambiguous.

First idea: NAT box has a set of globally-valid IP addresses,

G1 .. GK

Up to K internal clients can access the same server at the same time.

28

19.9 Port-Mapped NAT

Network Address and Port Translation (NAPT) is a better solution.

Outgoing datagrams: NAPT substitutes both source IP address and source port.

Inside client Outside server

Figure 19.5 - reduced

30

19.9 Port-Mapped NAT - continued

Since ports are 16-bit quantities, NAPT allows up to 216

internal client to access the same external server at the same time.

In our implementation in the lab, the NAT box does not substitute a source port unless two internal clients accidentally choose the same random client port number.

31

NAPT gets router involved in layer 4!

(looking inside “data” in IP datagram, not just header)

Transport

32

19.10 Interaction between NAPT and ICMP

NAPT uses the port number to identify the client.

ICMP is layer 3, so does not have a port number.

So how can PING, or ICMP error messages, work through a NAT box?

33

19.10 Interaction between NAPT and ICMP – continued

PING

What does the NAT box do?

34

19.10 Interaction between NAT and ICMP – continued

Format for echo request/ echo reply:

Although there is no port number that can be used, there is the IDENTIFIER field.

This contains a 16-bit number chosen randomly by the requestor.

RFC 2663 states that this is used by NAT, in place of a port number, to route the echo reply back to the requestor over the intranet.

35


What about ICMP error messages, such as “destination unreachable”? Situation with NO NAPT

Outer IP Datagram

Inner IP Datagram

36

IP: source = R, dest = G

ICMP type 3

Inner datagram

IP: source = G, dest = W

TCP: source port = y, dest = 80


IP: source = S, dest = W

TCP: source port = x, dest =80

IP: source = G, dest = W

TCP: source port = y, dest = 80

IP: source = R, dest = G

ICMP, Not TCP!

G,W,y,80 ↔ S,W,x,80

IP: source = R, dest = S

ICMP type 3

Inner datagram

IP: source = S, dest = W

TCP: source port = x, dest = 80

Need this!Have this!

37


NAPT has to “drill down” into inner datagram to retrieve source port y,and original destination W, then do table lookup to find that the ICMP message should be forwarded to S.

Inner Datagram

38


Before forwarding the ICMP “destination unreachable” message to the sender of the original datagram, NAT must translate the addresses in the ICMP message so that they are exactly the same as in the original datagram.

Then recompute the checksum in the ICMP header, then recompute the checksum in the outer IP datagram header.

39

To provide a meaningful ICMP “destination unreachable” to the original sender of the datagram, the NAT box must:

► Translate the source address in the “inner” datagram

► Translate the source port in the “inner” datagram

► Recompute the header checksum in the “inner” datagram

► Recompute the ICMP header checksum


► translate the destination IP address in the “outer” header

► Recompute the header checksum in the “outer” header.

40

19.11 Interaction between NAT and Applications

Applications cause problems if they send IP addresses or protocol ports as data.

e.g. FTP (active mode):

Frame from Ethereal trace captur2a.ftpFrame 25 Ethernet IIInternet Protocol Protocol: TCP (0x06) Header checksum: 0xb213 (correct) Source: 192.168.1.1 (FTP Client) Destination: 192.168.1.2 (FTP Server)Transmission Control Protocol Source port: 1388 Destination port: ftp (21)File Transfer Protocol (FTP) Request: PORT Request Arg: 192,168,1,1,5,109

[Port information transmitted in ASCII]

41

19.11 Interaction between NAT and Applications - continued

NAT

Active mode FTP does not work with NAT for internal client, external server,

42

Fixing FTP in active mode would require the router to “drill down” all the way to the FTP message.

Transport

FTP message

43

19.11 Interaction between NAT and Applications - continued

NAT

FTP in passive does work between internal client and external server

(confirmed by RFC 2663)

44

19.12 NAT in the Presence of Fragmentation

NAPT cannot work with fragmented datagrams, since only the first fragment will contain the TCP or UDP header, with the port numbers.

45

19.13 Conceptual Address Domains

“We have described NAT as a technology that can be used to connect a private network to the global internet.

In fact, NAT can be used to connect any two address domains.”

This leads to multiple levels of NAT.

46

19.13 Conceptual Address Domains - continued

47

19.14 Slirp and iptables

iptables supports packet rewriting and firewalling.

We use iptables in lab session #5 to construct packet filters.

NAT or NAPT can be constructed using iptables rules.

Recall Chapter 3 :

Documents

Transcript of Recall Chapter 3 :