vpn and nat
DESCRIPTION
Organization A’s private network. Organization B’s private network. Internet. VPN and NAT. We have been viewing the Internet as a collection of interconnected networks In reality, many organizations have private internets interconnected by the Internet. A Single-Level Internet. - PowerPoint PPT PresentationTRANSCRIPT
VPN and NAT
• We have been viewing the Internet as a collection of interconnected networks
• In reality, many organizations have private internets interconnected by the Internet
Organization A’s private network
InternetOrganization B’s private network
A Single-Level Internet
• A collection of interconnected networks:
A Single-Level Internet (cont)
• Problem: privacy
Site 1 of Organization A
InternetSite 2 of
Organization A
Solution #1
• A private network – an isolated TCP/IP internet separate from the Internet– Can use arbitrary IP addresses (usually private IPs)
Organization A’s private network
Internet
Solution #2
• A hybrid network:– Use globally valid IP addresses
– Internal hosts can communicate with hosts on the Internet
– Communications among internal hosts are private
Solution #3
• A Virtual Private Network (VPN):– Communication between any pair of computers in the
VPN remains private
– Virtual – uses the Internet to carry traffic from one part of the VPN to another
Site 1 of Organization A
InternetSite 2 of
Organization A
VPN tunnel
A Virtual Private Network
• How it works:– Tunneling: agreement by two routers to exchange
datagrams• IP-in-IP encapsulation
– Encryption: the encapsulated datagram is scrambled so that intermediate hosts/routers cannot read it
VPN – Addressing and Routing
• A hybrid network
• The VPN tunnel replaces the leased circuit
VPN – Addressing and Routing (cont)
• Example: a datagram from 128.10.2.0 to 128.210.0.0:– Sent to R2, then R1, then tunneled to R3, then R4
Distributed Private Network
• VPN can be used to create a distributed private network:– Internal hosts are isolated from Internet
– Hosts can be assigned private addresses
– Each site needs one globally valid IP address for tunneling
Distributed Hybrid Network
• Internal hosts can communicate with hosts on the Internet
• Communications among internal hosts are private
• How to make it work?
Application Gateways
• An application gateway is a program that acts as a middleman for a particular service
• Typically run on multi-homed host that is the gateway between internal hosts and the Internet– Internal hosts send requests to the application gateway– Application gateway passes the request to the
destination host– Destination host sends reply to the application gateway– Application gateway passes reply to originating internal
host
Application Gateways
• Advantage:– Does not require changes to:
• The network infrastructure• The addressing scheme
• Disadvantage:– Not general:
• Each application gateway handles a specific service• A different application gateway program is required
for each different service
Network Address Translation
• Network Address Translation (NAT) is software that translates addresses in incoming and outgoing datagrams– P = private address
– G = globally-valid IP address
Organization A’s private network
InternetNAT boxGP
NAT (cont)
• The NAT box acts as a middleman between internal and external hosts:– Outgoing datagrams:
• Source IP address is replaced with G
– Incoming datagrams:• Destination IP address is replaced with the private
IP address of the correct host– How does the NAT box know which is the “correct” host
when it receives a reply from an external host?
NAT Translation Table
• The NAT software maintains a translation table that tells it what internal hosts are communicating with what external hosts
• When a datagram arrives from 134.126.14.32 the destination adress should be translated to 10.1.0.3
External IP Address Internal IP Address134.126.24.210 10.1.0.1
134.126.14.32 10.1.0.3
134.126.8.7 10.2.0.2
134.126.43.111 10.1.0.8
Translation Table Initialization
• How (and when) are entries placed in the translation table?– Manually
• Good: permanent mappings, connections can originate either inside or outside
• Bad: difficult to maintain
Translation Table Initialization (cont)
• How (and when) are entries placed in the translation table?– During translation of outgoing datagrams
• Good: automatic
• Bad: external hosts cannot initiate connections
Translation Table Initialization (cont)
• How (and when) are entries placed in the translation table?– In response to an incoming name lookup
• Good:– Automatic– External hosts can initiate connections
• Bad– Requires modification to DNS server software– External hosts must perform a name lookup prior to
sending datagrams to internal hosts
Shortcoming of NAT Translation Table
• What if two different internal hosts want to communicate with the same external host (134.126.24.210)?– Not clear which one to send replies to:
External IP Address Internal IP Address134.126.24.210 10.1.0.1
134.126.14.32 10.1.0.3
134.126.24.210 10.2.0.2
134.126.43.111 10.1.0.8
Network Address Port Translation
• Network Address Port Translation (NAPT) expands the table to include additional fields:
• Note: two internal hosts (10.0.0.5 and 10.0.0.1) are both accessing port 80 on 128.10.19.20– NAPT translates both addresses and ports to avoid ambiguity
Network Address Port Translation (cont)
• Note: both the IP address and the port number are translated:– Datagrams from port 21023 on 10.0.0.5 are sent to 128.10.19.20 as if they
came from port 14003 on the NAT box
– Replies from 128.10.19.20 to port 14003 on the NAT box are forwarded to 10.0.0.5
– Datagrams from port 386 on 10.0.0.1 are sent to 128.10.19.20 as if they came from port 14010 on the NAT box
– Replies from 128.10.19.20 to port 14010 on the NAT box are forwarded to 10.0.0.1
NAT (cont)
• Advantages:– General: internal hosts can access an arbitrary service
on an external host– Transparent to internal and external hosts– Helps conserve IP addresses– Shields internal host IP addresses
• Disadvantage:– Interaction with higher-layer protocols
• ICMP• FTP
Summary
• A Virtual Private Network (VPN) sends data across the Internet, but encrypts intersite transmissions to guarantee privacy
• Network Address Translation (NAT) provides transparent IP-level access to the Internet from a host with a private address– There are variants of NAT, including Network
Address Port Translation (NAPT) which translates protocol port numbers as well as IP addresses