Introduction

advertisement
COMS W4995-1
Lecture 8
NAT, DHCP & Firewalls
Outline

Network Address Translation (NAT)

Dynamic Host Configuration Protocol (DHCP)

Firewalls

Typical Application Domains where we use them
Network Address Translation: a hack

A hack to fix the IP address depletion problem.


Breaks the End-to-End argument.


NAT is a router function where IP addresses (and possibly port
numbers) of IP datagrams are replaced at the boundary of a private
network.
But it became a standard: RFC 1631 - The IP Network Address
Translator (NAT)
Provides a form security by acting as a firewall


home users.
Small companies.
Is there any other solution to the IP address problem?
Basic operation of NAT
•Private Network
•Source
•Destination
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
•private address: 10.0.1.2
•public address: 128.143.71.21
•Host

= 64.236.24.4
•Source
•Destination = 10.0.0.2
•Internet
128.143.71.21
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
= 128.143.71.21
= 64.236.24.4
NAT
Device
= 64.236.24.4
•Source
•Destination = 128.59.16.21
10.0.0.2
Private
Address
Public
Address
10.0.1.1
128.59.16.21
= 64.236.24.4
•Source
•Destination = 128.59.16.21
Public Host
64.236.24.4
NAT device stores the address and port translation tables

In the this example we mapped only addresses.
Private Network

Private IP network is an IP network with Private IP
Addresses (Can it be connected directly to the Internet?)

IP addresses in a private network can be assigned
arbitrarily but they are usually picked from the reserved
pool (can we use any?)



Not registered and not guaranteed to be globally unique
Question: how is public IP address assigned?
Generally, private networks use addresses from the
following experimental address ranges (non-routable
addresses):



10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Main uses of NAT

Pooling of IP addresses

Supporting migration between network service
providers

IP masquerading and internal firewall

Load balancing of servers
Pooling of IP addresses

Scenario: Corporate network has many hosts but only a
small number of public IP addresses.

NAT solution:

Corporate network is managed with a private address space.

NAT device, located at the boundary between the corporate
network and the public Internet, manages a pool of public IP
addresses.

When a host from the corporate network sends an IP datagram
to a host in the public Internet, the NAT device picks a public IP
address from the address pool, and binds this address to the
private address of the host.
Pooling of IP addresses
•Private Network
•Source
•Destination
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
•private address: 10.0.1.2
•public address: 128.143.71.21
•Internet
128.143.71.21
= 10.0.1.2
= 64.236.24.4
•Source
•Destination
= 128.143.71.21
= 64.236.24.4
NAT
Device
•Host
Private
Address
Public
Address
10.0.1.2
128.59.16.21
Public Host
64.236.24.4
Supporting migration between network service providers

Scenario: In practice (using CIDR), the IP addresses in
a corporate network are obtained from the service
provider. Changing the service provider requires
changing all IP addresses in the network.

NAT solution:



Assign private addresses to the hosts of the corporate network
NAT device has address translation entries which bind the
private address of a host to the public address.
Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to the
hosts on the network.
Supporting migration between network service providers
Source
= 128.14.71.21
Destination = 213.168.112.3
Source
= 10.0.1.2
Destination = 213.168.112.3
private address:
public address:
10.0.1.2
128.14.71.21
128.14.71.21
Host
NAT
device
Private network
Private
Address
10.0.1.2
Public
Address
128.14.71.21
ISP 1
allocates address
block
128.14.71.0/24 to
private network:
Supporting migration between network service providers
Source
= 10.0.1.2
Destination = 213.168.112.3
private address:
public address:
10.0.1.2
128.14.71.21
150.140.4.120
128.14.71.21
150.140.4.120
X
ISP 1
allocates address
block
128.14.71.0/24 to
private network:
Host
NAT
device
Private network
Source
= 150.140.4.120
Destination = 213.168.112.3
Private
Address
Public
Address
10.0.1.2
128.14.71.21
150.140.4.120
ISP 2
allocates address block
150.140.4.0/24 to
private network:
IP masquerading



Also called: Network address and port translation
(NAPT), port address translation (PAT).
Scenario: Single public IP address is mapped to
multiple hosts in a private network.
NAT solution:


Assign private addresses to the hosts of the corporate network
NAT device modifies the port numbers for outgoing traffic
IP masquerading
Source
= 10.0.1.2
Source port = 2001
Source
= 128.59.71.21
Source port = 80
private address: 10.0.1.2
NAT device
Internet
Host 2
10.0.0.1
128.16.71.21
private address: 10.0.1.3
Host 1
Source
= 10.0.1.3
Source port = 3020
Source
= 128.59.71.21
Destination = 4444
Private network
Private
Address
Public
Address
10.0.1.2/2001
128.143.71.21/80
10.0.1.3/3020
128.143.71.21/4444
Load balancing of servers

Scenario: Balance the load on a set of identical servers,
which are accessible from a single IP address

NAT solution:




Here, the servers are assigned private addresses
NAT device acts as a proxy for requests to the server from the
public network
The NAT device changes the destination IP address of arriving
packets to one of the private addresses for a server
A sensible strategy for balancing the load of the servers is to
assign the addresses of the servers in a round-robin fashion.
Load balancing of servers
10.0.1.2
S1
Sou
Des rce
tina
tion = 64.
= 10 30.4.1
20
.0.1
.2
Source
= 64.30.4.120
Destination = 128.16.71.21
Source
= 101.248.22.3
Destination = 128.16.71.21
Internet
128.59.71.21
10.0.1.3
S2
10.0.1.4
rce
n
Sou tinatio
s
De
S3
Private network
3
22.
48 .
2
.
01
= 1 .0.1.4
0
=1
NAT
device
Inside network
Outside network
Private
Address
Public
Address
Public
Address
10.0.1.2
128.59.71.21
64.30.4.120
10.0.1.4
128.59.71.21
101.248.22.3
Concerns about NAT

Performance:



Modifying the IP header by changing the IP address requires that
NAT boxes recalculate the IP header checksum.
Modifying port number requires that NAT boxes recalculate TCP
checksum.
Fragmentation

Care must be taken that a datagram that is fragmented before it
reaches the NAT device, is not assigned a different IP address or
different port numbers for each of the fragments.
Concerns about NAT

End-to-end connectivity:



NAT destroys universal end-to-end reachability of hosts on the
Internet.
A host in the public Internet often cannot initiate communication
to a host in a private network.
The problem is worse, when two hosts that are in a private
network need to communicate with each other.
NAT and FTP

Normal FTP operation
NAT and FTP

NAT device with FTP support
NAT and FTP

FTP in passive mode and NAT.
Configuring NAT in Linux

Linux uses the Netfilter/iptable Kernel package
To application
From application
filter
INPUT
nat
OUTPUT
filter
OUTPUT
Yes
Destination
is local?
nat
PREROUTING
(DNAT)
Incoming
datagram
No
filter
FORWARD
nat
POSTROUTING
(SNAT)
Outgoing
datagram
Configuring NAT with iptable

First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.16.71.21

Pooling of IP addresses:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.16.71.0–128.16.71.30

IP masquerading:
iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE

Load balancing:
iptables -t nat -A PREROUTING -i eth1 -j DNAT --todestination 10.0.1.2-10.0.1.4
Dynamic Host Configuration Protocol
(DHCP)
Dynamic Assignment of IP addresses

Dynamic assignment of IP addresses is desirable
for several reasons:





IP addresses are assigned on-demand
Avoid manual IP configuration
Support mobility of laptops
Wireless networking and Home NATs
No static IP means that we have to depend on
DNS for the packet routing


Use of a DDNS (Dynamic DNS entry)
Free sites for that service in the internet
Dynamic Host Configuration Protocol (DHCP)

Designed in 1993

Requires a server and free IP address space

Supports temporary allocation (“leases”) of IP addresses

DHCP client can acquire all IP configuration parameters

Any potential security risks?

Can we use something that can prevent unauthorized users?
DHCP Interaction (simplified)
Argon
00:a0:24:71:e4:44
DHCP Request
00:a0:24:71:e4:44
Sent to
255.255.255.255
Argon
128.16.23.144
00:a0:24:71:e4:44
DHCP Response:
IP address: 128.16.23.144
Default gateway: 128.16.23.1
Netmask: 255.255.0.0
DHCP Server
DHCP Server
DHCP Message Format
OpCode
Hardware Type
Number of Seconds
Hardware Address
Hop Count
Length
Unused (in BOOTP)
Flags (in DHCP)
Transaction ID
Client IP address
Your IP address
Server IP address
Gateway IP address
Client hardware address (16 bytes)
Server host name (64 bytes)
Boot file name (128 bytes)
Options
(There are >100 different options)
DHCP

OpCode: 1 (Request), 2(Reply)
Note: DHCP message type is sent in an option






Hardware Type: 1 (for Ethernet)
Hardware address length: 6 (for Ethernet)
Hop count: set to 0 by client
Transaction ID: Integer (used to match reply to
response)
Seconds: number of seconds since the client started to
boot
Client IP address, Your IP address, server IP
address, Gateway IP address, client hardware
address, server host name, boot file name:
client fills in the information that it has, leaves rest blank
DHCP Message Type

Message type is sent as an option.
Value
Message Type
1
DHCPDISCOVER
2
DHCPOFFER
3
DHCPREQUEST
4
DHCPDECLINE
5
DHCPACK
6
DHCPNAK
7
DHCPRELEASE
8
DHCPINFORM
DHCP operations
Src: 0.0.0.0, 68
Dest: 255.255.255.255, 67
DHCPDISCOVERY
Yiaddr: 0.0.0.0
Transaction ID: 654
Src:128.195.31.1, 67
Dest: 255.255.255.255, 68
DHCPOFFER
Yiaddr: 128.59.20.147
Transaction ID: 654
Server ID: 128.59.18.1
Lifetime: 3600 secs
DHCP operations
Src: 0.0.0.0, 68
Dest: 255.255.255.255, 67
DHCPREQUEST
Yiaddr: 128.59.20.147
Transaction ID: 655
server ID: 128.195.31.1
Lifetime: 3600 secs
Src:128.59.18.1, 67
Dest: 255.255.255.255, 68
DHCPACK
Yiaddr: 128.59.20.147
Transaction ID: 655
Server ID: 128.59.18.1
Lifetime: 3600 secs
More on DHCP operations

A client may receive DCHP offers from multiple servers

The DHCPREQUEST message accepts offers from one
server.

Other servers who receive this message considers it as
a decline

A client can use its address after receiving DHCPACK

DHCP replies can be unicast, depending on
implmentation
DHCP relay agent
Src: 0.0.0.0., 68
Dest: 255.255.255.255, 67
Giaddr: 128.16.41.1
DHCPDISCOVER
128.16.31.10
128.16.31.1
Src: 0.0.0.0., 68
Dest: 255.255.255.255, 67
Giaddr: 0
DHCPDISCOVER
128.16.41.1
Src: 128.16.31.10, 67
Dest: 128.16.41.1, 67
Giaddr: 128.16.41.1
DHCPOFFER
Src: 128.16.41.1, 67
Dest: 255.255.255.255, 68
Giaddr: 128.16.41.1
DHCPOFFER
……
……
History of DHCP

Three Protocols:





RARP (until 1985, no longer used)
BOOTP (1985-1993)
DHCP (since 1993)
Secure DHCP – not a standard yet…
Only DHCP is widely used today.
Solutions for dynamic assignment of IP addresses

Reverse Address Resolution Protocol (RARP)





RARP is no longer used
Works similar to ARP
Broadcast a request for the IP address associated with a
given MAC address
RARP server responds with an IP address
Only assigns IP address (not the default router and
subnetmask)
IP address
(32 bit)
ARP
RARP
Ethernet MAC
address
(48 bit)
BOOTP

BOOTstrap Protocol (BOOTP)





Host can configure its IP parameters at boot time.
3 services.
 IP address assignment.
 Detection of the IP address for a serving machine.
 The name of a file to be loaded and executed by the client
machine (boot file name)
Not only assigns IP address, but also default router,
network mask, etc.
Sent as UDP messages (UDP Port 67 (server) and 68
(host))
Use limited broadcast address (255.255.255.255):

These addresses are never forwarded
BOOTP Interaction
Argon
00:a0:24:71:e4:44
Argon
128.143.137.144
00:a0:24:71:e4:44
(a)
(b)
DHCP Server
BOOTP Response:
IP address: 128.143.137.144
Server IP address: 128.143.137.100
Boot file name: filename
BOOTP Server
BOOTP Request
00:a0:24:71:e4:44
Sent to 255.255.255.255

(c)

BOOTP can be used for
downloading memory
image for diskless
workstations
Assignment of IP
addresses to hosts is
static
Lab errata

In Figure 7.1, the private network interface of
Router2 should be labeled with IP address "10.0.1.1/24"
(instead of 10.0.0.1/24).
Firewalls (Slides to be added)
Download