Chapter 30 Private Networks, Virtual Private Networks, and Network Address Translation Outline PRIVATE NETWORKS VIRTUAL PRIVATE NETWORKS (VPN) NETWORK ADDRESS RESOLUTION (NAT) 30.1 PRIVATE NETWORKS The McGraw-Hill Companies, Inc., 2000 Private Networks Designed to be used inside an organization Intranet A private network (LAN) that uses the TCP/IP protocol suite However, access to the private network is limited only to the users inside the organization Extranet The same as an intranet with one major difference Some resources may be accessed by specific groups of uses outside the organization under the control of the network administrators For example, a university can allow distance learning students access to the computer lab after passwords have been checked Addressing A private network has its IP address by the following three methods The network can apply for a set of addresses from the Internet authorities and use them without being connected to the Internet Advantage: easy when the organization decides to be connected to the network Disadvantage: the address space is wasted The network can use any set of addresses without registering with the Internet authorities The network can use any set of addresses without registering with the Internet authorities Because the network is isolated, the address do not have to be unique Drawback: users might mistakenly confuse the address as part of the global network Addressing (Cont.) The internet authorities have reserved three sets of addresses to overcome the problems in previous two strategies Without permission from the Internet authorities Everybody knows that these reserved addresses are for private networks Unique inside the organization, but not unique globally No router will forward a packet that has one of these address as the destination address Addresses for Private Networks Prefix Range Total 10/8 10.0.0.0 ~ 10.255.255.255.255 2^24 172.16/12 172.16.0.0 ~ 172.31.255.255 2^20 192.168/16 192.168.0.0 ~ 192.168.255.255 2^16 30.2 VIRTUAL PRIVATE NETWORKS (VPN) The McGraw-Hill Companies, Inc., 2000 Virtual Private Networks (VPN) Use the global Internet for both intra- and inter-organization communication But require privacy in their intra-organization communication How to achieving Privacy Three strategies: private networks, hybrid networks, and virtual private networks Private Networks An organization that needs privacy when routing information inside the organization can use a private network Small organization with one single site Can use an isolated LAN Data in the organization is totally remain inside the organization, secure from outsiders Large organization with several sites The LANs at different site can be connected using routers and leased lines Thus, network is made out of private LANs and private WANs Figure 30-1 Private Network with Large Organization The McGraw-Hill Companies, Inc., 2000 Private Networks (Cont.) Thus, the organization has created a private internet that is totally isolated from the global Internet There is no need for the organization to apply for IP addresses with the Internet authorities Because the internet is private, duplication of addresses by another organization in the global Internet is not a problem Hybrid Network However, above scenario does not allow the organizations to be connected to the global Internet Solution: hybrid network Allow a organization to have its own private internet Intraorganization data is routed through private network And allow to access to the global Internet Interorganization data is routed through global Internet Figure 30-2 Hybrid Network The McGraw-Hill Companies, Inc., 2000 Virtual Private Networks Both private and hybrid networks have a major drawback: cost Private wide area networks are expensive To connect several sites, an organization needs several leased lines Goal: use the global Internet for both private and public communication Solution: virtual private network (VPN) Virtual Private Networks (Cont.) VPN creates a network that is private but virtual Private: it guarantees privacy inside an organization Virtual: it does not use real private WANs The network is physically public but virtually private Figure 30-3 Virtual Private Network The McGraw-Hill Companies, Inc., 2000 VPN Technology VPN uses two simultaneous technologies to guarantee privacy for an organization IPSec Tunneling IPSec Discussed in Chapter 29 A virtual private network can use either AH or ESP for authentication and privacy Tunneling Each IP datagram destined for private use in the organization must be encapsulated in another datagram The inner datagram carries the actual source and destination address The outer datagram header carries the source and destination of the two router, i.e., R1 and R2 Figure 30-4 Tunneling The McGraw-Hill Companies, Inc., 2000 Tunneling (Cont.) Note that, the entire IP datagram must be first encrypted and then encapsulated R1 encrypts the datagram R2 decrypts the datagram Figure 30-5 Addressing in a VPN The McGraw-Hill Companies, Inc., 2000 30.3 NETWORK ADDRESS TRANSLATION (NAT) The McGraw-Hill Companies, Inc., 2000 Network Address Translation (NAT) Allow A set of private addresses for internal communication A set of (at least one) global Internet addresses for communication with another site From the next slide The private network uses private addresses The NAT router uses one private address and one global address The rest of the internet sees only the NAT router with the address 200.24.5.8 Figure 30-6 NAT The McGraw-Hill Companies, Inc., 2000 Address Translation NAT Replaces the source address of all outgoing packets with the global NAT address Replace the destination address of all incoming packets with the appropriate private address Figure 30-7 Address Translation The McGraw-Hill Companies, Inc., 2000 Translation Table Used by the NAT to drive the destination address for a packet coming from the Internet Three cases Using one IP address Using a Pool of IP addresses Using Both IP addresses and Port numbers Using One IP Address The translation table has only two columns The private address The external address (destination address of the packet) When the router translates the source address of the outgoing packet It also make note of the destination address, where the packet is going Figure 30-8 Translation The McGraw-Hill Companies, Inc., 2000 Using One IP Address (Cont.) Communication must always be initiated by the private network Thus, a private network cannot run a server program for clients outside of its network if it is using NAT technology Using a Pool of IP Addresses Using only one global address allows only one private-network host to access the same external host Solution: using a pool of IP addresses For example, if the NAT can use four address Four private-network hosts can communicate with the same external host at the same time Using a Pool of IP Addresses (Cont.) Drawbacks No more than four connections can be made to the same destination No private-network host can access two external server program (e.g., HTTP and TELNET) at the same time Two private-network hosts cannot access the same external server program at the same time Using Both IP Addresses and Port Numbers To allow a many-to-many relationship between private-network hosts and external server programs We need more information in the translation table When the response comes back, the combination of source address (25.8.3.2) and destination port number (1400) define the private network host Five-Column Translation Table Private Address 172.18.3.1 Private Port 1400 External Address 25.8.3.2 External Port 80 Transport Protocol TCP 172.15.3.2 1401 25.8.3.2 80 TCP … … … … … Using Both IP Addresses and Port Numbers Thus, for this translation to work, the temporary port number (1400 and 1401) must be unique NAT and ISP An ISP the serves dial-up customers can use NAT technology to conserve address For example, an ISP is granted 1000 addresses But has 100,000 customers The ISP can divide the customers into 1000 groups Each group is a private network Figure 30-9 An ISP and NAT The McGraw-Hill Companies, Inc., 2000