Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks

Size: px

Start display at page:

Download "Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione. 09 Intranetting. Fundamentals of Communication Networks"

Benjamin Sanders
5 years ago
Views:

1 Politecnico di Milano Scuola di Ingegneria Industriale e dell Informazione 09 Intranetting Fundamentals of Communication Networks 1

2 Private networks and Intranets EG subnet IG IG Private network IG o Private networks have evolved based on IP technology. o Private networks are usually partitioned using layer-2 switches, VLAN and IP routers. o A intranet is just a private network using IP technology for LAN (or VLAN) interconnection, and providing some services on the INTERNET (web server, mail server, etc.). 2

3 Characteristics of Intranets o The evolution of services and protocols made Intranets quite different from public IP networks n Security n Address management n Differentiation of services offered to Intranet users and INTERNET users. n Etc. 3

4 Addresses o The exponential increase of the number of hosts of the Internet makes the availability of IPv4 addresses a real problem o This problem has pushed the standardization of IPv6 o In the meanwhile another solution has been found by means of private addresses o If an IP network is not connected to the Internet it can use any arbitrary addressing plan... 4

5 Private addressing (1) o o o Different intranets can reuse the same set of IP addresses (RFC 1597, Address Allocation for Private Internets). n class A: net 10.xx.xx.xx (16 millions addresses) n class B: from to (16 nets with addresses) n class C: nets xx.xx (256 nets with 254 addresses) It s not allowed that packets with private addresses (source or destination addresses) travel in the public Internet The development of some technologies like Proxy and NAT allowed the use of private addressing even to intranets connected to the Internet 5

6 Private addressing (2) o A private network has usually some services that can be accessed from the public Internet o Servers of these services need a public address while internal hosts can use a private address web R ISP Public addr R Private addr. 6

7 Private addressing (3) o Whitout an interconnection mechanism between private and public world, private hosts cannot access to Internet services o Commonly adopted methods for interconnection are NAT and Proxy web R NAT ISP Public addr. R Private addr. 7

8 Connection Intranet/Internet o Intranet using public addresses n Application Proxy n Simple Router o Intranet using private addresses n NAT n Application Proxy 8

9 Connection with a simple Router o The intranet uses public IP addresses o The intranet is actually a part of the big Internet o Communications are always possible o Low security 9

Connection through an application Proxy o This solution works either with public or private addresses o Intranet and INTERNET are not connected at the IP layer o

10 Connection through an application Proxy o This solution works either with public or private addresses o Intranet and INTERNET are not connected at the IP layer o Any request (application layer) is forwarded to the proxy that forwards it to the Internet using its public IP address o A proxy for each application is required 10

11 Application Proxy http proxy ftp proxy R Internet R ind. pubblici Private addr. remote web server Routing tables with public and private addresse 11

12 Network Address Translation (NAT) o NATs (Network Address Translation) routers have all classical functionalities of IP routers o and in addition they can map a (private) addressing space in another (public) addressing space. 12

13 Network Address Translator (NAT) o NAT allows to associate (usually temporarily) a private address to a public address. The set of private addresses is usually much larger than that of public addresses. Packets to the Internet are filtered and forwarded to the NAT Source Destination NAT Available addresses: subnet Private IP Public IP Source Destination

14 NAT Table NAT Available addresses: subnet NAT Table Source Destination Private IP Public IP Source Destination o To allow bidirectional connections a mapping table is required: n Static mapping n Dynamic mapping 14

15 NAT methods o Traditional NAT n Basic NAT n Network Address Port Translation (NAPT) o Bi-directional NAT n Twice NAT 15

16 Common features o Transparent Address Translation n Association (binding/unbinding) trasparent to hosts n Two association modes: o Static (easy but inefficient) o Dynamic (efficient but complex) o Transparent Routing n Routing must be managed according to the address type (private addressing plans must not be redistributed to the public network) o ICMP Packet Translation n Portions of ICMP messages include IP addresses, therefore they have to be translated 16

17 NAT Dynamic association (1) o Dynamic assignment is based on the concept of session o When NAT receives the first packet of a session it creates the association between public and private addresses o At the end of the session the public address is released o What s a session? n Its definition is protocol dependent n For TCP and UDP a session is based on socket n For ICMP a set of three addresses (source IP, destination IP, Protocol Identifier) n The direction of a session is the the direction of the first packet 17

18 NAT Dynamic association (2) o Once defined the session we have to assess when it starts and ends o Session start: n TCP: SYN packet n UDP, ICMP: connectionless, there is not a unique method o Session end: n TCP: FIN packets or RESET n Other protocol: there is not a unique method n Timers are always required to recover from error states. 18

19 NAT Application Level Gateway o Several applications includes IP addresses in the messages (ASCII or binary formats) and port numbers o Application Level Gateways (ALG) add some functionalities to NATs for a correct operation with such applications o Based on the application and messages type, not only IP headers but also message contents are translated, and if needed TCP segments are modified accordingly o ALG are similar to proxy, but they are transparent to hosts 19

20 Traditional NAT (1) o Also named Outbound NAT o It allows only sessions initiated from the private network (from the intranet to the internet) o Routing information is ridistributed from the Internet to the Intranet but not in the opposite direction o 2 sub-types n Basic NAT n NAPT (Network Address and Port Translator) 20

21 Traditional NAT (2) o Basic NAT n Only the IP address is translated n There is a one-to-one mapping during a session and two hosts cannot use the same public address at the same time n Requests can be blocked due to the limited number of available public addresses o NAPT n The couple (IP, port) is translated n Many private addresses can be mapped on the same public address at the same time n Some problems arise with flows not using UDP or TCP (with ICMP it is possible to use the protocol identifier field) n With fragments it does not work 21

Bi-Directional NAT o A session can start in any direction o Problem: n How can a public host start a session with a private host without a public address?

22 Bi-Directional NAT o A session can start in any direction o Problem: n How can a public host start a session with a private host without a public address? n Symbolic names must be used and the DNS service must support the NAT DNS Intranet server.azienda.com DNS resp: DNS query: server.azienda.com? DNS ALG R NAT table DNS resp: Internet 22

23 NAT Some comments o Address mapping is not an easy task o It requires n To recalculate the Header Checksum n To replace address into ICMP message and to recalculate the header checksum n To recalculate the checksum of TCP or UDP with the new pseudo-header o ALG are required with application including addresses or ports into application messages o IPsec and all security protocols are difficult to manage 23

24 NAT The case of FTP (1) o The case of FTP: n On control connection PORT and PASV methods are adopted n PORT n1,n2,n3,n4,n5,n6 (n1, n2, n3,n4, n5, n6 are coded with ASCI) o n1.n2.n3.n4 is the client IP Address o N5x256+n6 = port number for data connection n The PORT command must be translated by the ALG, but that s not the end of the story... 24

25 NAT- The case of FTP (2) n Suppose that you have to map (private) with (public) n FTP uses ASCI o During translation private-> public the command PORT becomes longer o During translation public-> private the command PORT becomes shorter n -> TCP payload changes size -> byte numbering in SN and AN fields must be modified n The ALG for FTP needs a mapping table for SN and AN for each active TCP connection 25

26 WAN connection of remote intranets (1) o Different Intranets (of the same organization/company) can be connected together o Problems: n n n cost use of private addresses security Intranet Intranet Intranet 26

27 WAN connection of remote intranets (2) o Dedicated channels o Problem: n Very high cost Intranet Intranet Intranet 27

28 WAN connection of remote intranets (3) o Public packet networks (e.g. Frame Relay) o Problems: n Quite high cost Intranet Intranet Rete pubblica FR Intranet 28

29 WAN connection of remote intranets (4) o INTERNET (Virtual Private Network - VPN) Problems: n n n Private addresses security performance ISP ISP Intranet Intranet 29

30 Virtual Private Networks o Tunnels ISP tunnel ISP Intranet Intranet 30

31 IP tunneling o o o Tunnel can be created through encapsulation of IP packets into IP packets The payload traveling in the public network can be encrypted (IPsec) Addresses in the remote intranets are usually private Destination Source IP Router/gateway Tunneling IP Tunnel destination/source Destination Source Destination Source Payload Payload Tunnel payload 31

Network Interconnection

Network Interconnection Covers different approaches for ensuring border or perimeter security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Lecture