1 / 32

IPv4+4 Address extension with NATs

IPv4+4 Address extension with NATs. Zolt án Turányi András Valkó Andrew Campbell. (Rita). IPv6 There for 6 + years No deployment Complicated transition Little incentives. NAT Deployed Breaks end-to-end Breaks apps Single point of failure Not scalable. Problem: IPv4 address shortage.

ashton
Télécharger la présentation

IPv4+4 Address extension with NATs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv4+4Address extension with NATs Zoltán Turányi András Valkó Andrew Campbell (Rita)

  2. IPv6 There for 6+ years No deployment Complicated transition Little incentives NAT Deployed Breaks end-to-end Breaks apps Single point of failure Not scalable Problem: IPv4 address shortage • Even more deployed

  3. Why are NATs so popular? • Very easy • No need to replace routers • No need to get more addresses • Provide address isolation • Easy address planning independent of outside • Provider change does not result in renumbering • Some even think it is security

  4. A.X A X NAT B NAT X B.X IPv4+4 • Use existing multiple address realms level 2 part level 1 part

  5. 9.8.7.6.10.0.0.1 5.4.3.2.10.0.0.1 IPv4+4 • Use existing multiple address realms 9.8.7.6 10.0.0.1 NAT 5.4.3.2 NAT 10.0.0.1

  6. 233 source address 2 destination address 2 protocol 2 spos dpos header checksum 2 transport header + payload • covers addresses, len & protocol • end-to-end IPv4+4 packet version hdrlen DS byte total length identification flags fragment offset TTL protocol header checksum source address destination address

  7. A.X B.Y A Y A Y X Y A Y X Y A B X B A B X B X B A RGW B RGW IPv4+4 routing X Y • packet routable based on IP header • private addresses not visible in public realm • private realm’s addresses not visible in another private realm

  8. A.X C.0 X C X C A C A 0 A 0 X 0 A RGW B RGW IPv4+4 routing C 4.3.2.1.0.0.0.0 X

  9. C.0 B.Y C Y C B C B 0 Y 0 Y 0 B A RGW B RGW IPv4+4 routing C Y

  10. A Y X Y X B A B R A R A R.0 A.X RGW B RGW ICMP translation X Y

  11. A Y X Y A Y X B A B X B R A R A B.R A.X RGW B RGW ICMP translation X Y

  12. ICMP – a problem version hdrlen DS byte total length identification flags fragment offset TTL protocol header checksum source address destination address source port destination port sequence number (TCP)/length+checksum (UDP)

  13. ICMP – a problem version hdrlen DS byte total length identification flags fragment offset TTL protocol header checksum source address destination address source address 2 destination address 2 protocol 2 spos dpos header checksum 2 source port destination port sequence number (TCP)/length+checksum (UDP)

  14. ICMP – a problem version hdrlen DS byte total length identification flags fragment offset TTL protocol header checksum source address destination address source address 2 destination address 2 protocol 2 spos dpos header checksum 2 source port destination port sequence number (TCP)/length+checksum (UDP)

  15. Summary - RGWs Legacy NAT • Packet out: swap source • Packet in: swap destination • Add 4+4 header to ICMP messages Stateless, cheap processing

  16. Summary – End hosts • Generate & understand 4+4 header • Decide if peer is in the same realm or not • Obtain 4+4 addresses of peers • DNS • Configuration • Application support needed

  17. Implementation • Linux kernel module • Translates IPv4+4 packets and addresses • 128.59.67.131.192.168.0.2 1.0.0.2 • Mappings are dynamically created • Incoming packet • DNS request • Packet headers inside ICMP errors • DNS messages also affected

  18. Implementation • Linux kernel module – no kernel patch • Load/unload any time Applications userland kernel space KERNEL Module

  19. LOCAL_INPUT LOCAL_OUTPUT PRE_ROUTING POST_ROUTING FORWARD Implementation • Linux kernel module – no kernel patch • Uses netfilter hooks • Can examine and modify packet • Say a verdict: accept, drop, steal, queue Applications Input device Output device

  20. LOCAL_IN • If an ICMP error that carry a 4+4 packet => translate • If v4+4 and addressed to us => translate • If a DNS packet => QUEUE daemon QUEUE ACCEPT LOCAL_IN LOCAL_OUT PRE_ROUTING POST_ROUTING • LOCAL_OUT • If an ICMP error that carry a peer id inside => translate • If destination is a peer id => translate Applications FORWARD Input device Output device

  21. FORWARDING • ICMP error carrying 4+4 packet => add IPv4+4 header • 4+4 packet => swap source address LOCAL_INPUT LOCAL_OUTPUT PRE_ROUTING POST_ROUTING • PRE_ROUTING • ICMP error carrying 4+4 packet => add IPv4+4 header • 4+4 packet => swap destination address Applications FORWARD Input device Output device

  22. DNS • Each 4+4 address is stored as two “A” RR • Name prepending is used as with SRV RRs Hostname: pleione.comet.columbia.edu. Records: l1.pleione.comet.columbia.edu 128.59.67.131 l2.pleione.comet.columbia.edu 192.168.0.2 IPv4+4 address: 128.59.67.131.192.168.0.2

  23. App Daemon Kernel Module a.b.com is 1.0.0.2 Mapping: 2.3.4.5.6.7.8.9  1.0.0.2 Who is l1.a.b.com? Who is l2.a.b.com? a.b.com doesn’t exist. Who is a.b.com? l1.a.b.com is 2.3.4.5 l2.a.b.com is 6.7.8.9 DNS

  24. 195.228.209.132 pc11 Budapest, Hungary Testbed 128.59.67.141 128.59.67.131 taygeta aphrodite DNS server WEB server ipv44.comet.columbia.edu 192.168.0.1 Comet Lab New York 192.168.0.2 pleione WEB server pleione.ipv44.comet.columbia.edu

  25. 128.59.67.141 128.59.67.131 taygeta aphrodite 192.168.0.1 192.168.0.2 pleione

  26. 128.59.67.141 128.59.67.131 taygeta aphrodite 192.168.0.1 192.168.0.2 pleione

  27. 128.59.67.141 128.59.67.131 taygeta aphrodite 192.168.0.1 192.168.0.2 pleione

  28. 128.59.67.141 128.59.67.131 taygeta aphrodite 192.168.0.1 192.168.0.2 pleione

  29. 128.59.67.141 128.59.67.131 taygeta aphrodite 192.168.0.1 192.168.0.2 pleione

  30. Experiments • Applications/protocols • icmp, ssh, scp, telnet, ping, http • arp, snmp, dhcp, routing protocols • ftp, irc • Network management/configuration • dns, firewall, routing

  31. LOCAL_INPUT LOCAL_OUTPUT PRE_ROUTING POST_ROUTING FORWARD Performance • Pentium III, 1 GHz machine • Unloaded • Measured the forwarding time Applications Input device Output device

  32. Performance

More Related