Recall Chapter 3: Figure 3.2 We need an addressing system that separately identifies the destination network and the destination host so that routers can forward on basis of destination network. Each network needs a distinct network address. 1 Recall Chapter 4: every physical network has to have its own unique IPv4 network address (class A, B, or C) Figure 4.1 The classful system is rigid and wasteful of the IP address space. With the advent of Local Area Networks and growth of the Internet, it became clear that the IPv4 address space would “soon” become exhausted. Efforts to utilize the IPv4 address space more efficiently and delay exhaustion: ► 1987 subnetting (chapter 9A) ► 1993 supernetting (chapter 9B) ► 2000 network address translation (chapter 19) 2 Chapter 9 – Classless and Subnet Address Extensions (CIDR) 9.3 Minimizing Network Numbers We have been assuming that every physical network had its own class A, B, or C IP network prefix. UAB has class B network address 138.26.0.0 But there is clearly more than one physical network on campus! 9.5 Subnet Addressing This became a required part of IP in 1987. Individual sites have the freedom to modify addresses and routes as long as the modifications remain invisible to other sites. A site can choose to use IP addresses in unusual ways internally as long as: ► all hosts and routers at the site agree to honor the site’s addressing scheme; ► other sites on the Internet can treat addresses as a network prefix and a host suffix. 3 9.5 Subnet Addressing - continued Example: Site with class B address 128.10.0.0 has two physical networks - subnets Figure 9.2 Only router R knows that there are multiple physical networks at the site and how to forward traffic among them; all other routers in the Internet forward traffic as if there were a single physical network at the site. 4 9.5 Subnet Addressing - continued In this example the local site has chosen to use the third octet of the address to distinguish between the two networks. “Subnetting on the basis of the 3rd octet” 5 9.5 Subnet Addressing – continued Relationship to original “classful” addressing system Original classful IP addressing subnet With subnet addressing Figure 9.3 Hierarchical routing: Routers in other autonomous systems use only the Internet part; Routers within this autonomous system also use the additional octet; Final delivery to host also uses the remaining octet. 6 9.6 Flexibility in Subnet Assignment Subnetting on the basis of the third octet is not the only possibility. Consider this intranet: Figure 9.4 Need 5 subnets - How could subnet addressing be performed? 7 9.6 Flexibility in Subnet Assignment – continued The number of bits allocated to the subnet can be chosen to fit the situation. Slice up the pie for a class-B address: 8 Figure 9.4 In this example, allocating 3 bits would allow 6 subnets (23 – 2), each with up to 8190 (213 – 2) hosts. ( -2 because we do not assign all-zeros or all-1s to hosts or subnets) 9 9.8 Implementation of Subnets with Masks The division of the 32-bit IP address for subnetting is controlled by the 32-bit subnet mask or address mask For example, subnetting on the basis of the third octet is represented by 11111111 11111111 11111111 00000000 Network + subnet part Host part We use dotted decimal notation to represent this as 255 . 255 . 255 . 0 To extract the (network + subnet) part of an IP destination address (as needed for routing within intranet): <destination IP address> .AND. <subnet mask> 10 Recall from chapter 7 – Forwarding IP Datagrams: Figure 7.2 11 9.11 The Subnet Forwarding Algorithm Before subnetting, the rows of the routing table contained duples <destination network address> <next hop> We extracted the destination network address from the 32-bit datagram destination address by looking at the first 1, 2, or 3 bits, to identify if the destination host was connected to a class A, B, or C network. With subnetting it is no longer possible for internal routers to deduce the destination network address on the basis of the datagram destination address alone. We have to expand our routing table rows to triples <address mask> <destination network address> <next hop> and revise the forwarding algorithm used in the intranet. 12 9.12 A Unified Forwarding Algorithm Recall the Chapter 7 forwarding algorithm: Before subnetting we could determine N from destination IP address alone Figure 7.3 This algorithm has to be modified to account for subnetting. 13 9.12 A Unified Forwarding Algorithm – continued This also needs to be ANDed with the address mask New step Figure 9.7 Only the internal routers have to be modified, since subnetting is invisible to outsiders. 14 9.12 A Unified Forwarding Algorithm Recall the Chapter 7 forwarding algorithm: Figure 7.3 What happened to these special cases? 15 9.12 A Unified Forwarding Algorithm – continued What happened to the special cases in figure 7.3? Host-specific route: use address mask 255.255.255.255 Default route: use address mask 0 . 0 . 0 . 0 with destination network address 0 . 0 . 0 . 0 table row will be <address mask> <destination network address> <next hop> 0.0.0.0 0.0.0.0 next hop for default route (because any ID ANDed with 0 . 0 . 0 . 0 gives 0 . 0 . 0 . 0) Default route must be last row in forwarding table. 16 Class B address 138.26.0.0 .254 All subnet masks 255.255.255.0 .253 138.26.1.0 .252 .1 .254 138.26.2.0 138.26.3.0 .253 Figure 9.4 .252 17 9.13 Maintenance of Subnet Masks Subnet masks are assigned by the network administrator. 18 9.14 Broadcasting to Subnets Recall special forms of IP address from chapter 4: Figure 4.4 Following this, we interpret an IP address <network part> <subnet part> 111…11 as indicating broadcast to all hosts on <subnet> 19 9.15 Anonymous Point-to-Point Networks A typical situation for a router in a wide-area network is that once an exit interface has been chosen, there is only one possible destination. In this situation we don’t need to waste an IP network prefix and don’t need to ARP. 20 9.15 Anonymous Point-to-Point Networks - continued Figure 9.8(b) routing table in R1 There is no need for a “next hop” – the exit interface is sufficient. 21 Chapter 19 – Private Network Connection (NAT, VPN) 19.6 Network Address Translation Like subnetting, NAT was motivated by a shortage of IPv4 addresses NAT provides IP-level access between hosts at a site and the rest of the Internet, without requiring each host at the site to have a globally-valid IP address (can use private, non-unique addresses eg. 192.168.1.1 ) Allows an internal host to access service on an external computer. The site must have a single router, with at least one globally-valid IP address, G, connecting to the Internet. This router runs the NAT software. All datagrams pass through the “NAT box” on their way to or from the Internet. 22 NAT Outgoing datagrams: NAT replaces the (private) source address with G 23 NAT Reply datagram will arrive at G - how does router/NAT know which internal host should receive the datagram? NAT maintains a translation table that it uses to perform the mapping. Entry in table: IP address of the external server, IP address of internal client NAT converts destination address G to private address 192.168.1.1 24 and forwards the datagram. 19.7 NAT Translation Table Creation How is the translation table constructed? 3 possibilities: ► Manual Initialization ► Outgoing Datagrams this is the “classic” method – when datagram arrives at the internal NAT interface, the router records the (internal) source address and the (external) destination address. This method does not allow contact to be initiated from outside (may not be a bad thing – security) ► Incoming Name Lookups table is built as a side-effect of handling incoming DNS lookups (possible only if organization is running a DNS server and is willing to have external access). 25 19.7 NAT Translation Table Creation – continued “Outgoing datagram” method popular among ISPs Figure 19.4 26 19.8 Multi-Address NAT Problem: What if two internal hosts are accessing the same external server at the same time? Translation table, with entries IP address of the external server, IP address of internal client will be ambiguous. First idea: NAT box has a set of globally-valid IP addresses, G1 .. GK Up to K internal clients can access the same server at the same time. 27 19.9 Port-Mapped NAT Network Address and Port Translation (NAPT) is a better solution. Outgoing datagrams: NAPT substitutes both source IP address and source port. Inside client Outside server Figure 19.5 - reduced 28 29 19.9 Port-Mapped NAT - continued Since ports are 16-bit quantities, NAPT allows up to 216 internal client to access the same external server at the same time. In our implementation in the lab, the NAT box does not substitute a source port unless two internal clients accidentally choose the same random client port number. 30 Transport NAPT gets router involved in layer 4! (looking inside “data” in IP datagram, not just header) 31 19.10 Interaction between NAPT and ICMP NAPT uses the port number to identify the client. ICMP is layer 3, so does not have a port number. So how can PING, or ICMP error messages, work through a NAT box? 32 19.10 Interaction between NAPT and ICMP – continued PING What does the NAT box do? 33 19.10 Interaction between NAT and ICMP – continued Format for echo request/ echo reply: Although there is no port number that can be used, there is the IDENTIFIER field. This contains a 16-bit number chosen randomly by the requestor. RFC 2663 states that this is used by NAT, in place of a port number, to route the echo reply back to the requestor over the intranet. 34 19.10 Interaction between NAT and ICMP – continued What about ICMP error messages, such as “destination unreachable”? Situation with NO NAPT Outer IP Datagram Inner IP Datagram 35 19.10 Interaction between NAT and ICMP – continued IP: source = G, dest = W IP: source = S, dest = W TCP: source port = y, dest = 80 TCP: source port = x, dest =80 G,W,y,80 ↔ S,W,x,80 IP: source = R, dest = G IP: source = R, dest = S ICMP type ICMP, Not TCP! 3 ICMP type 3 Inner datagram Inner datagram IP: source = G, dest = W IP: source = S, dest = W TCP: source port = y, dest = 80 TCP: source port = x, dest = 80 Have this! Need this! 36 19.10 Interaction between NAT and ICMP – continued Inner Datagram NAPT has to “drill down” into inner datagram to retrieve source port y, and original destination W, then do table lookup to find that the ICMP message should be forwarded to S. 37 19.10 Interaction between NAT and ICMP – continued Before forwarding the ICMP “destination unreachable” message to the sender of the original datagram, NAT must translate the addresses in the ICMP message so that they are exactly the same as in the original datagram. Then recompute the checksum in the ICMP header, then recompute the checksum in the outer IP datagram header. 38 19.10 Interaction between NAT and ICMP – continued To provide a meaningful ICMP “destination unreachable” to the original sender of the datagram, the NAT box must: ► Translate the source address in the “inner” datagram ► Translate the source port in the “inner” datagram ► Recompute the header checksum in the “inner” datagram ► Recompute the ICMP header checksum ► translate the destination IP address in the “outer” header ► Recompute the header checksum in the “outer” header. 39 19.11 Interaction between NAT and Applications Applications cause problems if they send IP addresses or protocol ports as data. e.g. FTP (active mode): Frame from Ethereal trace captur2a.ftp Frame 25 Ethernet II Internet Protocol Protocol: TCP (0x06) Header checksum: 0xb213 (correct) Source: 192.168.1.1 (FTP Client) Destination: 192.168.1.2 (FTP Server) Transmission Control Protocol Source port: 1388 Destination port: ftp (21) File Transfer Protocol (FTP) Request: PORT Request Arg: 192,168,1,1,5,109 [Port information transmitted in ASCII] 40 19.11 Interaction between NAT and Applications - continued NAT Active mode FTP does not work with NAT for internal client, external server, 41 FTP message Transport Fixing FTP in active mode would require the router to “drill down” all the way to the FTP message. 42 19.11 Interaction between NAT and Applications - continued NAT FTP in passive does work between internal client and external server (confirmed by RFC 2663) 43 19.12 NAT in the Presence of Fragmentation NAPT cannot work with fragmented datagrams, since only the first fragment will contain the TCP or UDP header, with the port numbers. 44 19.13 Conceptual Address Domains “We have described NAT as a technology that can be used to connect a private network to the global internet. In fact, NAT can be used to connect any two address domains.” This leads to multiple levels of NAT. 45 19.13 Conceptual Address Domains continued 46 19.14 Slirp and iptables iptables supports packet rewriting and firewalling. We use iptables in lab session #5 to construct packet filters. NAT or NAPT can be constructed using iptables rules. 47