COMS/CSEE 4140
Networking Laboratory
Lecture 08
Salman Abdul Baset
Spring 2008
Announcements
Prelab 7 and Lab report 6 due next week before
your lab slot
 Assignment 3 due next week Monday
 Project groups

2
Last time…
Interconnection devices (hub, bridge/switch,
router)
 Bridges/LAN switches vs. routers
 Bridge concepts, PDU
 Spanning tree algorithm
 Linux packet reception

3
Agenda
Private network and addresses
 NAT (Network Address Translator)





Basic operation
Issues (binding, filtering, state maintenance)
Main uses of NAT
Dynamic Host Configuration Protocol (DHCP)
4
Private Network

Private IP network is an IP network with private IP
addresses

IP addresses in a private network can be assigned
arbitrarily but they are usually picked from the reserved
pool (can we use any?)


Not registered and not guaranteed to be globally unique
Generally, private networks use addresses from the
following experimental address ranges (non-routable
addresses):



10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
5
Private Addresses
H1
10.0.1.2
H3
H2
H4
10.0.1.2
10.0.1.3
10.0.1.1
10.0.1.3
10.0.1.1
Private network 1
Private network 1
Internet
R1
128.195.4.119
128.143.71.21
R2
213.168.112.3
H5
6
Network Address Translator

A hack to fix the IP address depletion problem.


Breaks the End-to-End argument.



NAT is a router function where IP addresses (and possibly port
numbers) of IP datagrams are replaced at the boundary of a private
network.
RFC 1631 - The IP Network Address Translator (NAT)
Not an Internet standard (RFC 3700) but…
Provides a form of security by acting as a firewall


Home users
Small companies
Other solutions to the IP address problem are?
7
Basic Operation of NAT
•Private Network
•Source
•Destination
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
•private address: 10.0.1.2
•public address: 128.143.71.21
•Host

128.143.71.21
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
= 128.143.71.21
= 64.236.24.4
NAT
Device
= 64.236.24.4
•Source
•Destination = 128.59.16.21
10.0.0.2
Private
Address
Public
Address
10.0.1.1
128.59.16.21
= 64.236.24.4
•Source
•Destination = 128.59.16.21
Public Host
64.236.24.4
NAT device stores the address and port translation tables
(Binding)


= 64.236.24.4
•Source
•Destination = 10.0.0.2
•Internet
In the this example we mapped only addresses.
NAT devices filters incoming traffic (Filtering)
8
NAT Issues

Private-to-public address mapping




State maintenance


Static NAT
Dynamic NAT
Overloading (NAPT or PAT)
Linux: /proc/net/ip_conntrack
Binding and Filtering Behavior


Binding: endpoint-independent, address dependent,
address and port-dependent
Filtering: endpoint-independent filtering, address
dependent filtering, address and port-dependent
filtering.
9
Static mapping
Dynamic mapping
NAPT/PAT
10
Binding: Endpoint-independent
IPaddr: Y1
IPaddr: X1
X1:x1 Y1:y1
X1:x1 Y1:y2
X1:x1 Z1:z1
X1:x1 Z1:z2
Endpoint-independent
mapping
NAT
N1:n1Y1:y1
N1:n1 Y1:y2
N1:n1 Z1:z1
N1:n1 Z1:z2
IPaddr: Z1
11
Binding: Address-dependent
IPaddr: Y1
IPaddr: X1
X1:x1 Y1:y1
X1:x1 Y1:y2
X1:x1 Z1:z1
X1:x1 Z1:z2
Address-dependent
mapping
NAT
N1:n1 Y1:y1
N1:n1 Y1:y2
N1:n2 Z1:z1
N1:n2 Z1:z2
IPaddr: Z1
12
Binding: Address and port dependent
IPaddr: Y1
IPaddr: X1
X1:x1 Y1:y1
X1:x1 Y1:y2
X1:x1 Z1:z1
X1:x1 Z1:z2
NAT
Address and port
dependent
IPaddr: Z1
N1:n1 Y1:y1
N1:n2 Y1:y2
N1:n3 Z1:z1
N1:n4 Z1:z2
13
Filtering: Endpoint-independent
X1:x1 N1:n1 Y1:y1
IPaddr: X1
IPaddr: Y1
Y1:y2 N1:n1
Z1:z1 N1:n1
NAT
IPaddr: Z1
14
Filtering: Address-dependent
(1) X1:x1 N1:n1 Y1:y1
IPaddr: Y1
IPaddr: X1
Y1:y2 N1:n1
Z1:z1 N1:n1
NAT
IPaddr: Z1
15
Filtering: Address and port dependent
(1) X1:x1 N1:n1 Y1:y1
IPaddr: X1
IPaddr: Y1
Y1:y1 N1:n1
Y1:y2 N1:n1
Z1:z1 N1:n1
NAT
IPaddr: Z1
16
NAT Issues


Port preserving
Hair pinning
IPaddr: X1
IPaddr: X2
NAT

Discovering binding
lifetime
17
Main uses of NAT
 Pooling
of IP addresses
 Supporting
migration between network
service providers
 IP
masquerading and internal firewall
 Load
balancing of servers
18
Pooling of IP addresses

Scenario: Corporate network has many hosts but only a
small number of public IP addresses.

NAT solution:

Corporate network is managed with a private address space.

NAT device, located at the boundary between the corporate
network and the public Internet, manages a pool of public IP
addresses.

When a host from the corporate network sends an IP datagram
to a host in the public Internet, the NAT device picks a public IP
address from the address pool, and binds this address to the
private address of the host.
19
Pooling of IP addresses
•Private Network
•Source
•Destination
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
•private address: 10.0.1.2
•public address: 128.143.71.21
•Internet
128.143.71.21
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
= 128.143.71.21
= 64.236.24.4
NAT
Device
•Host
Private
Address
Public
Address
10.0.1.2
128.59.16.21
Public Host
64.236.24.4
20
Supporting migration between network
service providers

Scenario: In practice (using CIDR), the IP addresses in
a corporate network are obtained from the service
provider. Changing the service provider requires
changing all IP addresses in the network.

NAT solution:



Assign private addresses to the hosts of the corporate network
NAT device has address translation entries which bind the
private address of a host to the public address.
Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to the
hosts on the network.
21
Supporting migration between network
service providers
Source
= 128.14.71.21
Destination = 213.168.112.3
Source
= 10.0.1.2
Destination = 213.168.112.3
private address:
public address:
10.0.1.2
128.14.71.21
ISP 1
allocates address
block
128.14.71.0/24 to
private network:
128.14.71.21
Host
NAT
device
Private network
Private
Address
10.0.1.2
Public
Address
128.14.71.21
22
Supporting migration between network
service providers
Source
= 10.0.1.2
Destination = 213.168.112.3
private address:
public address:
10.0.1.2
128.14.71.21
150.140.4.120
128.14.71.21
150.140.4.120
X
ISP 1
allocates address
block
128.14.71.0/24 to
private network:
Host
NAT
device
Private network
Source
= 150.140.4.120
Destination = 213.168.112.3
Private
Address
Public
Address
10.0.1.2
128.14.71.21
150.140.4.120
ISP 2
allocates address block
150.140.4.0/24 to
private network:
23
IP masquerading
Also called: Network address and port
translation (NAPT), port address
translation (PAT).
 Scenario: Single public IP address is mapped
to multiple hosts in a private network.


NAT solution:


Assign private addresses to the hosts of the corporate
network
NAT device modifies the port numbers for outgoing
24
traffic
IP masquerading
Source
= 10.0.1.2
Source port = 2001
Source
= 128.59.71.21
Source port = 80
private address: 10.0.1.2
NAT device
Internet
Host 2
10.0.0.1
128.16.71.21
private address: 10.0.1.3
Host 1
Source
= 10.0.1.3
Source port = 3020
Source
= 128.59.71.21
Destination = 4444
Private network
Private
Address
Public
Address
10.0.1.2/2001
128.143.71.21/80
10.0.1.3/3020
128.143.71.21/4444
25
Load balancing of servers
Scenario: Balance the load on a set of identical
servers, which are accessible from a single IP
address
 NAT solution:





Here, the servers are assigned private addresses
NAT device acts as a proxy for requests to the server
from the public network
The NAT device changes the destination IP address of
arriving packets to one of the private addresses for a
server
A sensible strategy for balancing the load of the
servers is to assign the addresses of the servers in a
26
round-robin fashion.
Load balancing of servers
10.0.1.2
S1
Sou
Des rce
tina
tion = 64.
= 10 30.4.1
20
.0.1
.2
Source
= 64.30.4.120
Destination = 128.16.71.21
Source
= 101.248.22.3
Destination = 128.16.71.21
Internet
128.59.71.21
10.0.1.3
S2
10.0.1.4
rce
n
Sou tinatio
s
De
3
22.
48 .
2
.
01
= 1 .0.1.4
0
=1
S3
Private network
When does this work?
When does this fail?
NAT
device
Inside network
Outside network
Private
Address
Public
Address
Public
Address
10.0.1.2
128.59.71.21
64.30.4.120
10.0.1.4
128.59.71.21
101.248.22.3
27
Concerns about NAT

Performance



Modifying the IP header by changing the IP address
requires that NAT boxes recalculate the IP header
checksum.
Modifying port number requires that NAT boxes
recalculate TCP checksum.
Fragmentation

Care must be taken that a datagram that is
fragmented before it reaches the NAT device, is not
assigned a different IP address or different port
numbers for each of the fragments.
28
Concerns about NAT
 End-to-end




connectivity
NAT destroys universal end-to-end reachability of
hosts on the Internet.
A host in the public Internet often cannot initiate
communication to a host in a private network.
The problem is worse, when two hosts that are in a
private network need to communicate with each
other.
NAT and applications

NAT break applications such as file transfer, VoIP
29
NAT and FTP

Normal FTP operation
30
NAT and FTP
Private network
FTP client
private address: 10.0.1.3
public address: 128.143.72.21
Internet
FTP server
NAT
device
H1
H2
PORT 10.0.1.3/1027
PORT 128.143.72.21/1027
200 PORT command successful
200 PORT command successful
RETR myfile
RETR myfile
150 Opening data connection

NAT device without FTP support
31
NAT and FTP
Private network
FTP client
private address: 10.0.1.3
public address: 128.143.72.21
Internet
FTP server
NAT
device
H1

H2
PORT 10.0.1.3/1027
PORT 128.143.72.21/1027
200 PORT command successful
200 PORT command successful
RETR myfile
RETR myfile
150 Opening data connection
150 Opening data connection
establish data connection
establish data connection
NAT device with FTP support
32
Configuring NAT/firewall in Linux
iptables
 Table (queue)



Filter, NAT, Mangle
Chain


Place within the table where firewall/NAT rules are
placed.
Packets pass through chains where tables are looked
up and a decision per packet is made.
33
Configuring NAT/firewall in Linux
Queue Type
Queue
Function
Packet transformation
chain
Chain Function
Filter
Packet filtering
FORWARD
Packets being forwarded
INPUT
Packets destined for firewall
OUTPUT
Packets originating from
firewall
PREROUTING
Address translation occurs
before routing (DNAT)
POSTROUTING
Address translation occurs after
routing (SNAT)
OUTPUT
Address translation for packets
generated by firewall
PREROUTING
POSTROUTING
OUTPUT INPUT
FORWARD
Modification of TCP quality of
service bits before routing
NAT
Mangle
Network
address
translation
TCP header
modification
34
Source: http://www.linuxhomenetworking.com/wiki/index.php/Q
uick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables#What_Is_iptables.3F
35
Configuring NAT in Linux

Linux uses
the Netfilter/iptableFromKernel
package
To application
application
filter
INPUT
nat
OUTPUT
filter
OUTPUT
Yes
Destination
is local?
nat
PREROUTING
(DNAT)
No
filter
FORWARD
nat
POSTROUTING
(SNAT)
36
Incoming
datagram
Outgoing
datagram
Configuring NAT with iptables

First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.16.71.21

Pooling of IP addresses:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.16.71.0–128.16.71.30

IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE

Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to37
destination 10.0.1.2-10.0.1.4
Agenda
Private network and addresses
 NAT (Network Address Translator)





Basic operation
Issues (binding, filtering, state maintenance)
Main uses of NAT
Dynamic Host Configuration Protocol (DHCP)
38
Dynamic Assignment of IP
addresses

Dynamic assignment of IP addresses is desirable
for several reasons:



IP addresses are assigned on-demand
Avoid manual IP configuration
Support mobility of laptops / handheld WiFi devices
39
Solutions for dynamic assignment of IP
addresses

Reverse Address Resolution Protocol
(RARP)




Works similar to ARP
Broadcast a request for the IP address associated
with a given MAC address
RARP server responds with an IP address
Only assigns IP address (not the default router
and subnet mask)
IP address
(32 bit)
ARP
RARP
Why not a good solution?
Ethernet MAC
address
(48 bit)
40
BOOTP (RFC 951)

BOOTstrap Protocol (BOOTP)



Predecessor of DHCP
Host can configure its IP parameters at boot time.
Three services






IP address assignment.
Detection of the IP address for a serving machine.
The name of a file to be loaded and executed by the client machine
(boot file name)
Not only assign IP address, but also default router, network
mask, etc.
Sent as UDP messages (UDP Port 67 (server) and 68 (host))
Use limited broadcast address (255.255.255.255):

These addresses are never forwarded
41
DHCP

Dynamic Host Configuration Protocol
(DHCP)




From 1993
An extension of BOOTP, very similar to DHCP
Same port numbers as BOOTP
Extensions:




Supports temporary allocation (“leases”) of IP addresses
DHCP client can acquire all IP configuration parameters
needed to operate
DHCP is the preferred mechanism for dynamic
assignment of IP addresses
DHCP can interoperate with BOOTP clients.
42
DHCP Interaction (simplified)
Argon
128.143.137.144
00:a0:24:71:e4:44
DHCP Server
DHCP Response:
IP address: 128.143.137.144
Default gateway: 128.143.137.1
Netmask: 255.255.0.0
43
BOOTP/DHCP Message Format
OpCode
Hardware Type
Number of Seconds
Hardware Address
Hop Count
Length
Unused (in BOOTP)
Flags (in DHCP)
Transaction ID
Client IP address
Your IP address
Server IP address
Gateway IP address
Client hardware address (16 bytes)
Server host name (64 bytes)
Boot file name (128 bytes)
Options
44
(There are >100 different options !!!)
BOOTP/DHCP

OpCode: 1 (Request), 2(Reply)
Note: DHCP message type is sent in an option






Hardware Type: 1 (for Ethernet)
Hardware address length: 6 (for Ethernet)
Hop count: set to 0 by client
Transaction ID: Integer (used to match reply to response)
Seconds: number of seconds since the client started to boot
Client IP address, Your IP address, server IP address,
Gateway IP address, client hardware address, server host
name, boot file name:
client fills in the information that it has, leaves rest blank
45
DHCP Message Type

Message type is sent as an
option.
Value
Message Type
1
DHCPDISCOVER
2
DHCPOFFER
3
DHCPREQUEST
4
DHCPDECLINE
5
DHCPACK
6
DHCPNAK
7
DHCPRELEASE
8
DHCPINFORM
46
Other options (selection)

Other DHCP information that is sent as an
option:
Subnet Mask, Name Server, Hostname, Domain
Name, Forward On/Off, Default IP TTL,
Broadcast Address, Static Route, Ethernet
Encapsulation, X Window Manager, X Window
Font, DHCP Msg Type, DHCP Renewal Time,
DHCP Rebinding, Time SMTP-Server, SMTPServer, Client FQDN, Printer Name, …
47
DHCP Operation
DHCP Client
00:a0:24:71:e4:44
DHCP Server
DHCPDISCOVER
Sent to 255.255.255.255

DHCP DISCOVER
DHCP Server
DHCP Client
00:a0:24:71:e4:44

DHCP OFFER
DHCPOFFER
DHCP Server
DHCPOFFER
DHCP Server
48
DHCP Operation
DHCP Client
00:a0:24:71:e4:44
DHCP Server
DHCPREQUEST

DHCP DISCOVER
DHCPACK
At this time, the DHCP
client can start to use the
IP address
DHCP Server
DHCP Client
00:a0:24:71:e4:44
DHCP Server
DHCPREQUEST
Renewing a Lease
(sent when 50% of lease
has expired)
If DHCP server sends
DHCPNACK, then
address is released.

DHCPACK
DHCP Server
49
DHCP Operation
DHCP Client
00:a0:24:71:e4:44
DHCP Server
DHCPRELEASE

DCHP RELEASE
At this time, the DHCP
client has released the IP
address
DHCP Server
50