Announcements. I am not Kurtis. CSE 461 University of Washington 2

Transcription

1 Network Layer

2 Announcements I am not Kurtis CSE 461 University of Washington 2

3 Dividing Up The Tasks Within A Layer Every layer (besides the physical layer) has two types of messages CSE 461 University of Washington 3

4 Dividing Up The Tasks Within A Layer Every layer (besides the physical layer) has two types of messages Control Messages: Setup/maintain the layer Examples: Routing, link sensing, link maintenance Data Messages: Actually do useful work (send data from higher layers) CSE 461 University of Washington 4

5 Revisiting The Spanning Tree Which messages are in the control plane? A,A,0 C,A,1 B,A,2 Which links are used for control plane? Which links are used for data plane? E,A,1 D,A,2 F,A,3 CSE 461 University of Washington 5

6 Revisiting The Spanning Tree Which messages are in the control plane? STP messages (A,A,0) A,A,0 C,A,1 B,A,2 Which links are used for control plane? All of them! Which links are used for data plane? Just the spanning tree E,A,1 D,A,2 F,A,3 CSE 461 University of Washington 6

7 Revisiting The Networking Stack Application Transport Network Link Physical Control Data CSE 461 University of Washington 7

8 Revisiting The Networking Stack Application Transport Network Link Physical Control Spanning Tree RTS/CTS Data Ethernet Frames Electrical Signals Radio Waves CSE 461 University of Washington 8

9 Encapsulation Is Always Data-Plane Network Control Data Link Spanning Tree RTS/CTS Ethernet Frames Physical Electrical Signals Radio Waves CSE 461 University of Washington 9

10 Encapsulation Is Always Data-Plane Network Control Data Link Spanning Tree RTS/CTS Ethernet Frames Physical Electrical Signals Radio Waves CSE 461 University of Washington 10

11 Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 11

12 Network Layer How to connect different link layer networks Routing as the primary concern Application Transport Network Link Physical CSE 461 University of Washington 12

13 Why do we need a Network layer? We can already build networks with links and switches and send frames between hosts CSE 461 University of Washington 13

14 Shortcomings of Switches 1. Don t scale to large networks Blow up of routing table, broadcast Table for all destinations in the world! Broadcast new destinations to the whole world! CSE 461 University of Washington 14

15 Shortcomings of Switches (2) 2. Don t work across more than one link layer technology Hosts on Ethernet + 3G Can we play too? Go away! CSE 461 University of Washington 15

16 Shortcomings of Switches (3) 3. Don t give much traffic control Want to plan routes / bandwidth That was lame. CSE 461 University of Washington 16

17 Network Layer Approach Scaling: Hierarchy, in the form of prefixes Heterogeneity: IP for internetworking Bandwidth Control: Lowest-cost routing Later QOS (Quality of Service) CSE 461 University of Washington 17

18 Topics Network service models Datagrams (packets), virtual circuits IP (Internet Protocol) Internetworking Forwarding (Longest Matching Prefix) Helpers: ARP and DHCP Fragmentation and MTU discovery Errors: ICMP (traceroute!) IPv6, scaling IP to the world NAT, and middleboxes Routing Algorithms CSE 461 University of Washington 18

19 Routing vs. Forwarding Routing is the process of deciding in which direction to send traffic Network wide (global) and expensive Which way? Which way? Which way? CSE 461 University of Washington 19

20 Routing vs. Forwarding (2) Forwarding is the process of sending a packet Node process (local) and fast Forward! packet CSE 461 University of Washington 20

21 Networking Services

22 Service Models What kind of service does the Network layer provide to the Transport layer? How is it implemented at routers? Service? What s he talking about? CSE 461 University of Washington 22

23 Two Network Service Models Datagrams, or connectionless service Like postal letters (IP as an example) Virtual circuits, or connection-oriented service Like a telephone call CSE 461 University of Washington 23

24 Store-and-Forward Packet Switching Both models are implemented with store-andforward packet switching Routers receive a complete packet, storing it temporarily if necessary before forwarding it onwards We use statistical multiplexing to share link bandwidth over time CSE 461 University of Washington 24

25 Store-and-Forward (2) Switching element has internal buffering for contention Input Output Input Buffer Fabric Output Buffer CSE 461 University of Washington 25

26 Store-and-Forward (3) Simplified view with per port output buffering Buffer is typically a FIFO (First In First Out) queue If full, packets are discarded (congestion, later) Router = Router (FIFO) Queue Queued Packets CSE 461 University of Washington 26

27 Datagram Model Packets contain a destination address; each router uses it to forward packets, maybe on different paths ISP s equipment CSE 461 University of Washington 27

28 Datagram Model (2) Each router has a forwarding table called the FIB The FIB is keyed by address and maps to an address Gives next hop for each destination address; may change A s table (initially) A s table (later) C s Table E s Table B B CSE 461 University of Washington 28

29 IP (Internet Protocol) Network layer of the Internet, uses datagrams (next) IPv4 carries 32 bit addresses on each packet (often 1.5 KB) Payload (e.g., TCP segment) 29

30 Virtual Circuit Model Three phases: 1. Connection establishment, circuit is set up Path is chosen, circuit information stored in routers 2. Data transfer, circuit is used Packets are forwarded along the path 3. Connection teardown, circuit is deleted Circuit information is removed from routers Just like a telephone circuit, but virtual in that no bandwidth need be reserved; statistical sharing of links CSE 461 University of Washington 30

31 Virtual Circuits Packets contain a short label to identify the circuit Labels don t have global meaning, only unique for a link ISP s equipment CSE 461 University of Washington 31

32 Virtual Circuits (2) Each router has a FIB keyed by circuit number Gives output line and next label to place on packet Circuit #1 H F A s table C s Table E s Table 5 5 H3 1 Circuit # F CSE 461 University of Washington 32

33 MPLS (Multi-Protocol Label Switching, 5.6.5) A virtual-circuit like technology widely used by ISPs ISP sets up circuits inside their backbone ahead of time ISP adds MPLS label to IP packet at ingress, undo at egress CSE 461 University of Washington 33

34 Datagrams vs Virtual Circuits Complementary strengths Issue Datagrams Virtual Circuits Setup phase Not needed Required Router state Per destination Per connection Routing Per packet Per circuit Addresses Packet carries full address Packet carries short label Failures Easier to mask Difficult to mask Quality of service Difficult to add Easier to add CSE 461 University of Washington 34

35 Internetworking (IP)

36 Topic How do we connect different networks together? This is called internetworking We ll look at how IP does it Hi there! Hi yourself CSE 461 University of Washington 36

37 How Networks May Differ Basically, in a lot of ways: Service model (datagrams, VCs) Addressing (what kind) QOS (priorities, no priorities) Packet sizes Security (whether encrypted) Internetworking hides the differences with a common protocol. (Uh oh.) CSE 461 University of Washington 37

38 Connecting Datagram and VC networks An example to show that it s not so easy Need to map destination address to a VC and vice-versa A bit of a road bump, e.g., might have to set up a VC Bump! Bump! CSE 461 University of Washington 38

39 Internetworking Cerf and Kahn Pioneers: Cerf and Kahn Fathers of the Internet In 1974, later led to TCP/IP Tackled the problems of interconnecting networks Instead of mandating a single network technology Vint Cerf Bob Kahn 2009 IEEE CSE 461 University of Washington 39

40 Internet Reference Model Internet Protocol (IP) is the narrow waist Supports many different links below and apps above 4. Application 3. Transport 2. Internet SMTP HTTP RTP DNS TCP IP UDP 1. Link Ethernet Cable DSL 3G

41 IP as a Lowest Common Denominator Suppose only some networks support QOS or security etc. Difficult for internetwork to support Pushes IP to be a lowest common denominator Asks little of lower-layer networks Gives little as a higher layer service CSE 461 University of Washington 41

42 IPv4 (Internet Protocol) Various fields to meet straightforward needs Version, Header (IHL), Total length, Protocol, and Header Checksum Payload (e.g., TCP segment) 42

43 IPv4 (2) Some fields to handle packet size differences (later) Identification, Fragment offset, Fragment control bits Payload (e.g., TCP segment) 43

44 IPv4 (3) Other fields to meet other needs (later, later) Differentiated Services, Time to live (TTL) Later, with QOS Later, with ICMP Payload (e.g., TCP segment) 44

45 IPv4 (4) Network layer of the Internet, uses datagrams Provides a layer of addressing above link addresses (next) Payload (e.g., TCP segment) 45

46 IP Addresses IPv4 uses 32-bit addresses Later we ll see IPv6, which uses 128-bit addresses Written in dotted quad notation Four 8-bit numbers separated by dots 8 bits 8 bits 8 bits 8 bits aaaaaaaabbbbbbbbccccccccdddddddd A.B.C.D CSE 461 University of Washington 46

47 IP Prefixes Addresses are allocated in blocks called prefixes Addresses in an L-bit prefix have the same top L bits There are 2 32-L addresses aligned on 2 32-L boundary CSE 461 University of Washington 47

48 IP Prefixes (2) Written in IP address/length notation Address is lowest address in the prefix, length is prefix bits E.g., /16 is to So a /24 ( slash 24 ) is 256 addresses, and a /32 is one address xxxxxxxx /??? /16 CSE 461 University of Washington 48

49 Classful IP Addressing Originally, IP addresses came in fixed size blocks with the class/size encoded in the high-order bits 10 They still do, but the classes are now ignored bits 0 Class A, 2 24 addresses 110 Network portion Host portion Class B, 2 16 addresses Class C, 2 8 addresses CSE 461 University of Washington 49

50 Classful IP Addressing This is an ARPANet assignment.

51 IP Forwarding Addresses on one network belong to a unique prefix Node uses a table that lists the next hop for prefixes Prefix Next Hop /19 D /22 B A B C D CSE 461 University of Washington 51

52 Longest Matching Prefix Prefixes in the table might overlap! Combines hierarchy with flexibility Longest matching prefix forwarding rule: For each packet, find the longest prefix that contains the destination address, i.e., the most specific entry Forward the packet to the next hop router for that prefix CSE 461 University of Washington 52

53 Longest Matching Prefix (2) Prefix à à à Next Hop /22 B /18 D / More specific /22 IP address CSE 461 University of Washington 53

54 IP Address Work Slide: Route to B = xx.xxxxxxxx Route to D = xxxxxx.xxxxxxxx = = =

55 Longest Matching Prefix (2) Prefix Next Hop /22 B /18 D à D à B à??? / More specific /22 IP address CSE 461 University of Washington 55

56 Longest Matching Prefix (3) Prefix Next Hop /22 B /18 D * E à D à B à E / More specific /22 IP address CSE 461 University of Washington 56

57 Host/Router Distinction In the Internet: Routers do the routing, know way to all destinations Hosts send remote traffic (out of prefix) to nearest router Not for my network? Send it to the gateway (router) It s my job to know which way to go CSE 461 University of Washington 57

58 Host Networking Consists of 4 pieces of data: IP Address Subnet Mask Defines local addresses Gateway Who (local) to send non-local packets to for routing DNS Server (Later)

59 Host Forwarding Table Give using longest matching prefix /0 is a default (*) route that catches all IP addresses Prefix Next Hop My network prefix Send to that IP /0 Send to my router CSE 461 University of Washington 59

60 Flexibility of Longest Matching Prefix Can provide default behavior, with less specifics Send traffic going outside an organization to a border router (gateway) Can special case behavior, with more specifics For performance, economics, security, CSE 461 University of Washington 60

61 Performance of Longest Matching Prefix Uses hierarchy for a compact table Relies on use of large prefixes Lookup more complex than table Used to be a concern for fast routers Not an issue in practice these days CSE 461 University of Washington 61

62 Issues? Where does this break down?

63 Issues? Where does this break down? Bootstrapping (DHCP) Finding Link nodes (ARP) Really big packets (Fragmentation) Errors in the network (ICMP) Running out of addresses (IPv6, NAT)

64 Dynamic Host Configuration Protocol (DHCP)

65 Bootstrapping Problem: A node wakes up for the first time What is its IP address? What s the IP address of its router? At least Ethernet address is on NIC What s my IP? CSE 461 University of Washington 65

66 Bootstrapping (2) 1. Manual configuration (old days) Can t be factory set, depends on use 2. DHCP: Automatically configure addresses Shifts burden from users to IT folk What s my IP? Use A.B.C.D CSE 461 University of Washington 66

67 DHCP DHCP (Dynamic Host Configuration Protocol), from 1993, widely used It leases IP address to nodes Provides other parameters too Network prefix Address of local router DNS server, time server, etc. CSE 461 University of Washington 67

68 DHCP Protocol Stack DHCP is a client-server application Uses UDP ports 67, 68 DHCP UDP IP Ethernet CSE 461 University of Washington 68

69 DHCP Addressing Bootstrap issue: How does node send a message to DHCP server before it is configured? Answer: Node sends broadcast messages that delivered to all nodes on the network Broadcast address is all 1s IP (32 bit): Ethernet (48 bit): ff:ff:ff:ff:ff:ff CSE 461 University of Washington 69

70 DHCP Messages Client Server One link CSE 461 University of Washington 70

71 DHCP Messages (2) Client Server DISCOVER All Broadcast ( ) OFFER REQUEST ACK CSE 461 University of Washington 71

72 DHCP Messages (3) To renew an existing lease, an abbreviated sequence is used: REQUEST, followed by ACK Protocol also supports replicated servers for reliability CSE 461 University of Washington 72

73 Address Resolution Protocol (ARP)

74 Sending an IP Packet Problem: A node needs Link layer addresses to send a frame over the local link How does it get the destination link address from a destination IP address? Uh oh My IP is CSE 461 University of Washington 74

75 ARP (Address Resolution Protocol) Node uses to map a local IP address to its Link layer addresses Link layer Source Ethernet Dest. Ethernet Source IP Dest. IP Payload From NIC From DHCP From ARP CSE 461 University of Washington 75

76 ARP Protocol Stack ARP sits right on top of link layer No servers, just asks node with target IP to identify itself Uses broadcast to reach all nodes ARP Ethernet CSE 461 University of Washington 76

77 ARP Messages Node Target One link CSE 461 University of Washington 77

78 ARP Messages (2) Node REQUEST Who has IP ? Target Broadcast ~]# tcpdump -lni any arp & ( sleep 1; arp -d ; ping -c1 -n ) listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 17:58: arp who-has tell REPLY I do at 1:2:3:4:5:6 17:58: arp who-has tell :58: arp who-has tell CSE 461 University of Washington 78

79 ARP Table # arp -an grep 10? ( ) at 00:25:90:3e:dc:fc [ether] on vlan241? ( ) at 00:c0:b7:76:ac:19 [ether] on vlan244? ( ) at 00:c0:b7:76:ae:56 [ether] on vlan244? ( ) at 00:30:48:f2:23:fd [ether] on vlan241? ( ) at 00:c0:b7:74:fb:9a [ether] on vlan244? ( ) at 00:25:90:2c:d4:f7 [ether] on vlan241 [...]

80 Discovery Protocols Help nodes find each other There are more of them! E.g., Zeroconf/Bonjour for DNS Often involve broadcast Since nodes aren t introduced Very handy glue CSE 461 University of Washington 80

81 Fragmentation

82 Fragmentation Problem: How do we connect networks with different maximum packet sizes? Need to split up packets, or discover the largest size to use Take that It s too big! Big packet CSE 461 University of Washington 82

83 Packet Size Problem Different networks have different max packet sizes Or MTU (Maximum Transmission Unit) E.g., Ethernet 1.5K, WiFi 2.3K Prefer large packets for efficiency But what size is too large? Difficult as node doesn t know complete network path CSE 461 University of Washington 83

84 Packet Size Solutions Fragmentation (now) Split up large packets in if they are too big to send Classic method, dated Discovery (next) Find the largest packet that fits on the network path This is what IP does today instead of fragmentation CSE 461 University of Washington 84

85 IPv4 Fragmentation Routers fragment packets too large to forward Receiving host reassembles to reduce load on routers Fragment! Reassemble! Fits on first link CSE 461 University of Washington 85

86 IPv4 Fragmentation Fields Header fields used to handle packet size differences Identification, Fragment offset, MF/DF control bits Payload CSE 461 (e.g., University TCP of Washington segment) 86

87 IPv4 Fragmentation Procedure Routers split a packet that is too large: Typically break into large pieces Copy IP header to pieces Adjust length on pieces Set offset to indicate position Set MF (More Fragments) on all pieces except last Receiving hosts reassembles the pieces: Identification field links pieces together, MF tells receiver when complete CSE 461 University of Washington 87

88 IPv4 Fragmentation (2) Before MTU = 2300 ID = 0x12ef Data Len = 2300 Offset = 0 MF = 0 (Ignore length of headers) After MTU = 1500 ID = Data Len = Offset = MF = ID = Data Len = Offset = MF = CSE 461 University of Washington 88

89 IPv4 Fragmentation (3) Before MTU = 2300 ID = 0x12ef Data Len = 2300 Offset = 0 MF = 0 After MTU = 1500 ID = 0x12ef Data Len = 1500 Offset = 0 MF = 1 ID = 0x12ef Data Len = 800 Offset = 1500 MF = 0 CSE 461 University of Washington 89

90 IPv4 Fragmentation (4) It works! Allows repeated fragmentation But fragmentation is undesirable More work for routers, hosts Tends to magnify loss rate Security vulnerabilities too CSE 461 University of Washington 90

91 Path MTU Discovery Discover the MTU that will fit So we can avoid fragmentation The method in use today Host tests path with large packet Routers provide feedback if too large; they tell host what size would have fit CSE 461 University of Washington 91

92 Path MTU Discovery (2) MTU=1400 MTU=1200 bytes MTU=900 Try 1200 Try 900 CSE 461 University of Washington 92

93 Path MTU Discovery (3) Test #1 Test #2 Test #3 MTU=1400 MTU=1200 bytes MTU=900 Try 1200 Try 900 CSE 461 University of Washington 93

94 Path MTU Discovery (4) Process may seem involved But usually quick to find right size MTUs smaller on edges of network Path MTU depends on the path and can change Search is ongoing Implemented with ICMP (next) Set DF (Don t Fragment) bit in IP header to get feedback CSE 461 University of Washington 94

95 Internet Control Message Protocol (ICMP)

96 Topic Problem: What happens when something goes wrong during forwarding? Need to be able to find the problem What happened? XXXXXXX Yikes! CSE 461 University of Washington 96

97 Internet Control Message Protocol ICMP is a companion protocol to IP They are implemented together Sits on top of IP (IP Protocol=1) Provides error report and testing Error is at router while forwarding Also testing that hosts can use CSE 461 University of Washington 97

98 ICMP Errors When router encounters an error while forwarding: It sends an ICMP error report back to the IP source It discards the problematic packet; host needs to rectify Oh, now I see XXXXXXX Report then toss it! ICMP report CSE 461 University of Washington 98

99 ICMP Message Format (2) Each ICMP message has a Type, Code, and Checksum Often carry the start of the offending packet as payload Each message is carried in an IP packet Src=router, Dst=A Protocol = 1 Type=X, Code=Y Portion of offending packet, starting with its IP header Src=A, Dst=B XXXXXXXXXXXXXXX IP header ICMP header ICMP data CSE 461 University of Washington 99

100 Example ICMP Messages Name Type / Code Usage Dest. Unreachable (Net or Host) 3 / 0 or 1 Lack of connectivity Dest. Unreachable (Fragment) 3 / 4 Path MTU Discovery Time Exceeded (Transit) 11 / 0 Traceroute Echo Request or Reply 8 or 0 / 0 Ping Testing, not a forwarding error: Host sends Echo Request, and destination responds with an Echo Reply CSE 461 University of Washington 100

101 Traceroute IP header contains TTL (Time to live) field Decremented every router hop, with ICMP error at zero Protects against forwarding loops CSE 461 University of Washington 101

102 Traceroute (2) Traceroute repurposes TTL and ICMP functionality Sends probe packets increasing TTL starting from 1 ICMP errors identify routers on the path Local Host 1 hop 2 hops... 3 hops N-1 hops N hops Remote Host CSE 461 University of Washington 102

103 IPv6

104 Problem: Internet Growth Many billions of hosts And we re using 32-bit addresses! CSE 461 University of Washington 104

105 IP Version 6 to the Rescue Effort started by the IETF in 1994 Much larger addresses (128 bits) Many sundry improvements Became an IETF standard in 1998 Nothing much happened for a decade Hampered by deployment issues, and a lack of adoption incentives Big push ~2011 as exhaustion looms CSE 461 University of Washington 105

106 IPv6 Features large addresses 128 bits, most of header New notation 8 groups of 4 hex digits (16 bits) Omit leading zeros, groups of zeros 32 bits Ex: 2001:0db8:0000:0000:0000:ff00:0042:8329 à 2001:db8::ff00:42:8329 CSE 461 University of Washington 106

107 IPv6 (2) 32 bits Lots of other changes Only public addresses No more NAT! Streamlined header processing No checksum (why s that faster?) Flow label to group of packets IPSec by default Better fit with advanced features (mobility, multicasting, security) CSE 461 University of Washington 107

108 IPv6 Stateless Autoconfiguration (SLAAC) Replaces DHCP (sorta ) Uses ICMPv6 Process: Send broadcast message Get prefix from router Attach MAC to router Prefix 32 bits CSE 461 University of Washington 108

109 IPv6 Transition The Big Problem: How to deploy IPv6? Fundamentally incompatible with IPv4 Dozens of approaches proposed Dual stack (speak IPv4 and IPv6) Translators (convert packets) Tunnels (carry IPv6 over IPv4) CSE 461 University of Washington 109

110 Tunneling Native IPv6 islands connected via IPv4 Tunnel carries IPv6 packets across IPv4 network CSE 461 University of Washington 110

111 Tunneling (2) Tunnel acts as a single link across IPv4 network User Tunnel User CSE 461 University of Washington 111

112 Tunneling (3) Tunnel acts as a single link across IPv4 network Difficulty is to set up tunnel endpoints and routing User Tunnel User IPv6 Link IPv6 Link IPv6 IPv4 Link IPv6 IPv4 Link IPv6 Link IPv6 Link Native IPv6 Native IPv4 Native IPv6 CSE 461 University of Washington 112

113 Network Address Translation (NAT)

114 Problem: Internet Growth Many billions of hosts And we re using 32- bit addresses! CSE 461 University of Washington 114

115 The End of New IPv4 Addresses Now running on leftover blocks held by the regional registries; much tighter allocation policies Exhausted on 4/11 and 9/12! IANA (All IPs) Exhausted ARIN (US, Canada) APNIC (Asia Pacific) RIPE (Europe) LACNIC (Latin Amer.) AfriNIC (Africa) ISPs Companies on 2/11! End of the world? 12/21/12? CSE 461 University of Washington 115

116 Solution 1: Network Address Translation (NAT) Basic idea: Map many Private IP addresses to one Public IP. Allocate IPs for private use ( x, 10.x) I m a NAT box too! Internet CSE 461 University of Washington 116

117 Layering Review Remember how layering is meant to work? Routers don t look beyond the IP header. Well App Router App TCP IP IP IP Ethernet IP IP Ethernet TCP IP CSE 461 University of Washington 117

118 Middleboxes Sit inside the network but perform more than IP processing on packets to add new functionality NAT box, Firewall / Intrusion Detection System App Middlebox App TCP IP App / TCP IP IP Ethernet IP IP Ethernet TCP IP CSE 461 University of Washington 118

119 Middleboxes (2) Advantages A possible rapid deployment path when no other option Control over many hosts (IT) Disadvantages Breaking layering interferes with connectivity strange side effects Poor vantage point for many tasks CSE 461 University of Washington 119

120 NAT (Network Address Translation) Box NAT box maps an internal IP to an external IP Many internal hosts connected using few external addresses Middlebox that translates addresses Motivated by IP address scarcity Controversial at first, now accepted CSE 461 University of Washington 120

121 NAT (2) Common scenario: Home computers use private IP addresses NAT (in AP/firewall) connects home to ISP using a single external IP address Unmodified computers at home Looks like one computer outside ISP NAT box 121

122 How NAT Works Keeps an internal/external translation table Typically uses IP address + TCP port This is address and port translation What host thinks Internal IP:port What ISP thinks External IP : port : : : : : : 1502 Need ports to make mapping 1-1 since there are fewer external IPs 122

123 How NAT Works (2) Internal à External: Look up and rewrite Source IP/port Internal source Internal IP:port External IP : port : : 1500 External destination IP=X, port=y Src = Dst = NAT box Src = Dst = CSE 461 University of Washington 123

124 How NAT Works (3) External à Internal Look up and rewrite Destination IP/port Internal destination Internal IP:port External IP : port : : 1500 External source IP=X, port=y Src = Dst = NAT box Src = Dst = CSE 461 University of Washington 124

125 How NAT Works (4) Need to enter translations in the table for it to work Create external name when host makes a TCP connection Internal External Internal IP:port External IP : port source destination : 5523 IP=X, port=y Src = Dst = NAT box Src = Dst = CSE 461 University of Washington 125

126 NAT Downsides Connectivity has been broken! Can only send incoming packets after an outgoing connection is set up Difficult to run servers or peer-to-peer apps (Skype) Doesn t work when there are no connections (UDP) Breaks apps that expose their IP addresses (FTP) CSE 461 University of Washington 126

127 NAT Upsides Relieves much IP address pressure Many home hosts behind NATs Easy to deploy Rapidly, and by you alone Useful functionality Firewall, helps with privacy Many kinks have been worked out NAT Hole-Punching for incoming traffic CSE 461 University of Washington 127