1 / 19

CMPT 471 Networking II

CMPT 471 Networking II. NAT. Private networks. Recall that several blocks of addresses are reserved for local addresses 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

gilon
Télécharger la présentation

CMPT 471 Networking II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMPT 471Networking II NAT

  2. Private networks • Recall that several blocks of addresses are reserved for local addresses • 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) • 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) • 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) • These addresses can be utilized by using network address translation (NAT)

  3. IPv4 local addresses • A local network may use local addresses taken from the blocks on the previous slide • These addresses are non-routable addresses and may be used on within the local network • To communicate with the internet one or more routable addresses are needed • Network address translation must occur on the router connecting the local network to the internet

  4. Types of NAT implementation • Static NAT • Dynamic NAT • Overloaded NAT (NAPT network address port translation) • Overlapping NAT

  5. Static NAT • Some machines on the internal network need internet access • There are several globally valid internet addresses available to the router connected to the local network • Each of the hosts that need internet access are allocated one of the available globally valid internet addresses • All other hosts have no connectivity to the internet

  6. Static NAT 24.16.47.23 192.168.3.1 192.168.3.2 192.168.3.3 192.168.3.4 24.16.33.47 NATrouter 192.168.3.5 24.16.33.49 192.168.3.7 192.168.3.6 Private network internet 24.16.77.12

  7. Static NAT • Some machines on the internal network need internet access (192.168.3.3, 192.168.3.6) • There are several globally valid internet addresses available to the router connected to the local network (24.16.33.47, 24.16.33.49) • Each of the hosts that need internet access are allocated one of the available globally valid internet addresses • 192.168.3.3 ↔ 24.16.33.47 • 192.168.3.6 ↔ 24.16.33.49

  8. Packet transmission through a static NAT (1) • When 192.168.3.3 sends a packet to 24.16.47.23 it is received by the NAT router • The sending host is unaware of the NAT. • The NAT replaces the local source address 192.168.3.3 with the corresponding globally valid address 24.16.47.23, recalculates the TCP or UDP checksum if necessary (if packet is TCP or UDP) then forwards the packet toward the destination.

  9. Packet transmission through a static NAT (2) • The destination host sees the NAT’s replacement address, 24.16.47.23, as the IP of the source and sends its reply to that IP address • The NAT receives the reply • Removes the destination address (its own address) from the packet • Replaces the destination address with the corresponding internal address, 192.168.3.3 • For UDP or TCP packets recalculates the checksum • Forwards the packet to the internal source

  10. Dynamic NAT • Establishes a 1-1 relationship between non-routable internal addresses and the globally valid IP addresses assigned to the NAT. • The non routable address bound to each globally valid address may change over time as communications are initiated and completed

  11. Dynamic NAT (2) • Similar to Static NAT except • Pool of available globally valid IP addresses • Each time an internal host begins communication with the internet the first packet destined for the internet will reach the NAT enabled router • The NAT enabled router will take the next available globally valid IP address from the pool and assign it to the internal host • When communication is complete address will be replaced into the pool

  12. NAPT (network address port translation) • NAT overloading or NAPT • Again, the local network uses locally valid non-routable IP addresses (not globally valid) • This time the NAT allows more than one local host to use the same globally valid internet address • The NAT has one or more globally valid IP addresses • Communications with different hosts are differentiated by using different port numbers (transport layer) • This is not a use of port numbers that is consistent with the layered design of the protocol stack, port numbers are not part of the network layer addresses, ports are designed for end to end communications not to be changed at each intermediate station • Using ports in this way also causes other problems

  13. Overloaded NAT 24.16.47.23: 192.168.3.1 192.168.3.2 192.168.3.3 192.168.3.4 24.16.33.47 NATrouter 192.168.3.5 24.16.33.49 192.168.3.7 192.168.3.6 Private network internet 24.16.77.12

  14. Overloaded NAT Example

  15. Overloaded NAT example (1) • A host on the local network, say 192.168.3.5, sends a packet to an external host, 24.16.47.23 through port 555 • The NAT enabled router receives the packet from the local host 192.168.3.5 • The NAT enabled router stores the source IP and port number in its address translation table • The NAT enabled router replaces the IP and port number in the packet with those it stores in the address translation table for this connection (for this example 24.16.33.49 and 1201) • The NAT enabled router recalculates the UDP or TCP checksum (for UDP and TCP packets) before forwarding the packet to the destination

  16. Overloaded NAT example (2) • When the destination receives the packet it will appear to have come from the NAT (24.16.33.49). • Any responses will be sent to 24.16.33.49, and thus be received by the NAT router • The NAT router will check the destination port in the response packet • By referring to the address translation table the NAT router will find the local non-routable address and port that corresponds. • The NAT router will replace the destination port and IP address with the local non-routable address and the corresponding port, recalculate the checksums as needed, and forward the packet to the original source host

  17. Problems with NAPT • Although NAPT is the most commonly used form of NAT it causes some serious difficulties • The most common encryption and authentication mechanisms used in the IP layer do not function when NAPT is used. It requires yet more serious violations of design principles to patch these problems (only some can be patched

  18. Problems with NAPT • Although NAPT is the most commonly used form of NAT it causes some serious difficulties • Servers that require connection to a particular port can only be run on one machine (the one that is using that port in the NAPT mapping).

  19. Problems with NAPT • Although NAPT is the most commonly used form of NAT it causes some serious difficulties • P2P applications require servers run on each peer, therefore P2P applications will break unless extraordinary measures are taken. (connect to a machine outside local net directly, P2P connection goes through that machine, breaks security: Hole punching)

More Related