• We have been viewing the Internet as a collection of interconnected networks
• In reality, many organizations have private internets interconnected by the Internet
Organization A’s private network
Internet
Organization B’s private network

• A collection of interconnected networks:

• Problem: privacy
Site 1 of
Organization A
Internet
Site 2 of
Organization A

• A private network
– an isolated TCP/IP internet separate from the Internet
– Can use arbitrary IP addresses (usually private IPs)
Organization A’s private network
Internet

• A hybrid network:
– Use globally valid IP addresses
– Internal hosts can communicate with hosts on the
Internet
– Communications among internal hosts are private

• A Virtual Private Network (VPN):
– Communication between any pair of computers in the
VPN remains private
– Virtual – uses the Internet to carry traffic from one part of the VPN to another
VPN tunnel
Site 1 of
Organization A
Internet
Site 2 of
Organization A

• How it works:
– Tunneling: agreement by two routers to exchange datagrams
• IP-in-IP encapsulation
– Encryption: the encapsulated datagram is scrambled so that intermediate hosts/routers cannot read it

• A hybrid network
• The VPN tunnel replaces the leased circuit

• Example: a datagram from 128.10.2.0 to 128.210.0.0:
– Sent to R
2
, then R
1
, then tunneled to R
3
, then R
4

• VPN can be used to create a distributed private network:
– Internal hosts are isolated from Internet
– Hosts can be assigned private addresses
– Each site needs one globally valid IP address for tunneling

• Internal hosts can communicate with hosts on the
Internet
• Communications among internal hosts are private
• How to make it work?

• An application gateway is a program that acts as a middleman for a particular service
• Typically run on multi-homed host that is the gateway between internal hosts and the Internet
– Internal hosts send requests to the application gateway
– Application gateway passes the request to the destination host
– Destination host sends reply to the application gateway
– Application gateway passes reply to originating internal host

• Advantage:
– Does not require changes to:
• The network infrastructure
• The addressing scheme
• Disadvantage:
– Not general:
• Each application gateway handles a specific service
• A different application gateway program is required for each different service

• Network Address Translation (NAT) is software that translates addresses in incoming and outgoing datagrams
– P = private address
– G = globally-valid IP address
Organization A’s private network
P
NAT box
G
Internet

• The NAT box acts as a middleman between internal and external hosts:
– Outgoing datagrams:
• Source IP address is replaced with G
– Incoming datagrams:
• Destination IP address is replaced with the private IP address of the correct host
– How does the NAT box know which is the “correct” host when it receives a reply from an external host?

• The NAT software maintains a translation table that tells it what internal hosts are communicating with what external hosts
External IP Address Internal IP Address
134.126.24.210
134.126.14.32
134.126.8.7
134.126.43.111
10.1.0.1
10.1.0.3
10.2.0.2
10.1.0.8
• When a datagram arrives from 134.126.14.32 the destination adress should be translated to 10.1.0.3

• How (and when) are entries placed in the translation table?
– Manually
• Good: permanent mappings, connections can originate either inside or outside
• Bad: difficult to maintain

• How (and when) are entries placed in the translation table?
– During translation of outgoing datagrams
• Good: automatic
• Bad: external hosts cannot initiate connections

• How (and when) are entries placed in the translation table?
– In response to an incoming name lookup
• Good:
– Automatic
– External hosts can initiate connections
• Bad
– Requires modification to DNS server software
– External hosts must perform a name lookup prior to sending datagrams to internal hosts

• What if two different internal hosts want to communicate with the same external host
(134.126.24.210)?
– Not clear which one to send replies to:
External IP Address Internal IP Address
134.126.24.210
134.126.14.32
134.126.24.210
134.126.43.111
10.1.0.1
10.1.0.3
10.2.0.2
10.1.0.8

• Network Address Port Translation (NAPT) expands the table to include additional fields:
• Note: two internal hosts (10.0.0.5 and 10.0.0.1) are both accessing port 80 on 128.10.19.20
– NAPT translates both addresses and ports to avoid ambiguity

• Note: both the IP address and the port number are translated:
– Datagrams from port 21023 on 10.0.0.5 are sent to 128.10.19.20 as if they came from port 14003 on the NAT box
– Replies from 128.10.19.20 to port 14003 on the NAT box are forwarded to
10.0.0.5
– Datagrams from port 386 on 10.0.0.1 are sent to 128.10.19.20 as if they came from port 14010 on the NAT box
– Replies from 128.10.19.20 to port 14010 on the NAT box are forwarded to
10.0.0.1

• Advantages:
– General: internal hosts can access an arbitrary service on an external host
– Transparent to internal and external hosts
– Helps conserve IP addresses
– Shields internal host IP addresses
• Disadvantage:
– Interaction with higher-layer protocols
• ICMP
• FTP

• A Virtual Private Network (VPN) sends data across the Internet, but encrypts intersite transmissions to guarantee privacy
•
Network Address Translation (NAT) provides transparent IP-level access to the Internet from a host with a private address
– There are variants of NAT, including
Network Address
Port Translation (NAPT) which translates protocol port numbers as well as IP addresses