andreas m ller overview q introduction to network address
play

Andreas Mller Overview q Introduction to Network Address Translation - PowerPoint PPT Presentation

Sep 05, 2023 •569 likes •1k views

Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU Mnchen ilab 2 Advanced NAT Andreas Mller Overview q Introduction to Network Address Translation q Behavior of NAT q The NAT Traversal

  1. Chair for Network Architectures and Services – Prof. Carle Department for Computer Science TU München ilab 2 Advanced NAT Andreas Müller

  2. Overview q Introduction to Network Address Translation q Behavior of NAT q The NAT Traversal problem q Solutions to the problem q Future of NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 2 2

  3. Problem q More and more devices connect to the Internet § PCs § Cell phones § Internet radios § TVs § Home appliances § Future: sensors, cars... q IP addresses need to be globally unique § IPv4 provides a 32bit field § Many addresses not usable because of classful allocation à We are running out of IP addresses ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 3 3

  4. Address Space q IP addresses are assigned by the Internet Assigned Numbers Authority (IANA) q RFC 1918 (published in in 1996) directs IANA to reserve the following IPv4 address ranges for private networks § 10.0.0.0 – 10.255.255.255 § 172.16.0.0 – 172.31.255.255 § 192.168.0.0 – 192.168.255.255 q The addresses may be used and reused by everyone § Not routed in the public Internet § Therefore a mechanism for translating addresses is needed ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 4 4

  5. First approach – Network Address Translation q Idea: only hosts communicating with the public Internet need a public address § Once a host connects to the Internet we need to allocate one § Communication inside the local network is not affected q A small number of public addresses may be enough for a large number of private clients q Only a subset of the private hosts can connect at the same time § not realistic anymore (always on) § we still need more than one public IP address ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 5 5

  6. NAPT: Network Address and Port Translation rest of local network Internet (e.g., home network) 10.0.0.1 10.0.0/24 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 Datagrams with source or All datagrams leaving local destination in this network network have same single source have 10.0.0/24 address for NAT IP address: 138.76.29.7, source, destination as usual different source port numbers ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 6 6

  7. NAT: Network Address Translation Implementation: NAT router must: § outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr. § remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair -> we have to maintain a state in the NAT § incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 7 7

  8. NAT: Network Address Translation NAT translation table 1: host 10.0.0.1 2: NAT router WAN side addr LAN side addr sends datagram to changes datagram 138.76.29.7, 5001 10.0.0.1, 3345 128.119.40.186, 80 source addr from …… …… 10.0.0.1, 3345 to 138.76.29.7, 5001, S: 10.0.0.1, 3345 updates table D: 128.119.40.186, 80 1 10.0.0.1 S: 138.76.29.7, 5001 2 10.0.0.4 D: 128.119.40.186, 80 138.76.29.7 S: 128.119.40.186, 80 10.0.0.2 4 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 3 D: 138.76.29.7, 5001 4: NAT router 3: Reply arrives 10.0.0.3 changes datagram dest. address: dest addr from 138.76.29.7, 5001 138.76.29.7, 5001 to 10.0.0.1, 3345 ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 8 8

  9. NAT: Network Address Translation q NAPT: § ~65000 simultaneous connections with a single LAN-side address! § helps against the IP shortage § we can change addresses of devices in local network without notifying outside world § we can change ISP without changing local addresses § devices inside local net not explicitly addressable/visible by the outside world (a security plus) q NAT is controversal: § routers should only process up to layer 3 § violates end-to-end argument ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 9 9

  10. NAT Implementation q Implementation not standardized § thought as a temporary solution q implementation differs from model to model § if an application works with one NAT does not imply that is always works in a NATed environment q NAT behavior § Binding (which external mapping is allocated) • NAT binding • Port binding § Endpoint filtering (who is allowed to access the mapping) ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 10 10

  11. Binding q When creating a new state, the NAT has to assign a new source port and IP address to the connection q Port binding describes the strategy a NAT uses for the assignment of a new external source port § source port can only be preserved if not already taken q NAT binding describes the behavior of the NAT regarding the reuse of an existing binding § two consecutive connections from the same transport address (combination of IP address and port) § 2 different bindings? § If the binding is the same à Port prediction possible ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 11 11

  12. NAT binding q Endpoint Independent § the external port is only dependent on the source transport address § both connections have the same IP address and port q Address (Port) Dependent § dependent on the source and destination address § 2 different destinations result in two different bindings § 2 connections to the same destination: same binding q Endpoint Dependent § a new port is assigned for every connection § strategy could be random, but also something more predictable § Port prediction is hard ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 12 12

  13. NAT binding q Endpoint Independent § the external port is only dependent on the source transport address § both connections have the same IP address and port q Address (Port) Dependent § dependent on the source and destination address § 2 different destinations result in two different bindings § 2 connections to the same destination: same binding q Endpoint Dependent § a new port is assigned for every connection § strategy could be random, but also something more predictable § Port prediction is hard ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 13 13

  14. Endpoint filtering q Filtering describes § how existing mappings can be used by external hosts § How a NAT handles incoming connections q Independent-Filtering: § All inbound connections are allowed § As long as a packet matches a state it is forwarded § No security q Address Restricted Filtering: § packets coming from the same host (matching IP-Address) the initial packet was sent to are forwarded q Address and Port Restricted Filtering: § IP address and port must match ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 14 14

  15. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 15 15

  16. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 16 16

  17. Full Cone NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 17 17

  18. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 18 18

  19. Address Restricted Cone NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 19 19

  20. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 20 20

Recommend

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller Core de v eloper , scikit - learn Dealing w ith categorical feat u res Scikit - learn w ill not accept categorical feat u res b y defa u lt Need to

578 views • 34 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Midterm Review OSI, TCP/IP Wenyuan Xu What is the main responsibilities and

339 views • 12 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Review (partial) OSI, TCP/IP Wenyuan Xu What is the main responsibilities

299 views • 13 slides
The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

371 views • 34 slides
Subnetting Used to subdivide a single IP network, to more efficiently utilize the address

Subnetting Used to subdivide a single IP network, to more efficiently utilize the address

Subnetting Used to subdivide a single IP network, to more efficiently utilize the address space (create subnets ) Also allows introduction of additional hierarchy of address space, so routers throughout internet dont need to know

472 views • 10 slides
Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview

Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview

1 Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview & Plan Year 2020 Standards Network Adequacy CMS ECP/Network CMS Adequacy Silver State ECP/Network Template Health Adequacy Exchange Standards

2.11k views • 19 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the outside Internet Users Authenticated Still vulnerable if the internal resources use IP address as the basis for authentication Content

598 views • 39 slides
1 Connection-oriented service Connectionless service Goal: data transfer between end systems

1 Connection-oriented service Connectionless service Goal: data transfer between end systems

A closer look at network structure: network edge: applications and hosts network core: Network Overview routers network of networks access networks, physical media: communication links Introduction Introduction 1-1 1-2

543 views • 8 slides
An Overview Introduction GMEX is an innovative new exchange developed to address problems

An Overview Introduction GMEX is an innovative new exchange developed to address problems

An overview An Overview Introduction GMEX is an innovative new exchange developed to address problems arising from recent regulatory change First product is GMEX IRS Constant Maturity Futures which provides an effective solution to

212 views • 19 slides
MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet, and used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) Interconnections address: used to get datagram

424 views • 6 slides
Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof

Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof

Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof Stocker Andr Calero Valdez Anne Kathrin Schaar Martina Ziefle Matthias Dehmer page 1 Agenda 1 Overview CSP1 - Interdisciplinary Innovation

661 views • 17 slides
Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research

Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research

Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research Group, Barcelona Media, Barcelona, Spain School of advanced sciences of Luchon, July 3rd, 2014 Andreas Kaltenbrunner @akalten_bcn Network

917 views • 63 slides
Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources

Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources

Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources (e.g., bandwidth) divided into get context, overview, access net, physical media pieces feel of networking performance: loss,

803 views • 6 slides
2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in HEAP

2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in HEAP

KIT University of the State of Baden-Wrttemberg and National Research Center of the Helmholtz Association Experimental High-Energy Astroparticle Physics Andreas 2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in

791 views • 62 slides
Stata Center Network Infrastructure Outline Introduction Physical topology overview Network

Stata Center Network Infrastructure Outline Introduction Physical topology overview Network

Stata Center Network Infrastructure Outline Introduction Physical topology overview Network design strategy Summary of specific requirements Proposal expectations/timeline Q&A Stata Center Network Infrastructure Introduction The Ray

604 views • 24 slides
20 16 CEO Address to Shareholders B USINESS OVERVIEW Leading >1 million scans per

20 16 CEO Address to Shareholders B USINESS OVERVIEW Leading >1 million scans per

Integral Diagnostics Limited A NNUAL G ENERAL M EETING 20 16 CEO Address to Shareholders B USINESS OVERVIEW Leading >1 million scans per annum diagnostic Network of 45 sites including 13 hospital sites imaging 3 brands:

354 views • 23 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
Prepare red b by Mille ller & & Newberg ( (MN) C ) Consult ltin ing Actuarie ries

Prepare red b by Mille ller & & Newberg ( (MN) C ) Consult ltin ing Actuarie ries

Prepare red b by Mille ller & & Newberg ( (MN) C ) Consult ltin ing Actuarie ries Project Manager: Michael Brown, FSA, MAAA, Managing Director Gene Blobaum, FSA, MAAA, Senior Actuary Spencer Loudon, Actuarial Analyst

810 views • 63 slides
Loukas Dimitriou and Andreas Savvides University of Cyprus Introduction Urban Morphologies

Loukas Dimitriou and Andreas Savvides University of Cyprus Introduction Urban Morphologies

Mobility Analysis and Morphologies: The case of Cypriot Major Cities Loukas Dimitriou and Andreas Savvides University of Cyprus Introduction Urban Morphologies Types of urban structures, based on the road network morphology

561 views • 39 slides
Setting IP Address You can set IP address on an interface to any value you like ifconfig

Setting IP Address You can set IP address on an interface to any value you like ifconfig

Setting IP Address You can set IP address on an interface to any value you like ifconfig interface ipaddress netmask subnet up You must make sure address is valid for the network Correct subnet, not a duplicate Turning interface

313 views • 13 slides
Procera: A Language for High-Level Reactive Network Control Andreas Voellmy Hyojoon Kim Nick

Procera: A Language for High-Level Reactive Network Control Andreas Voellmy Hyojoon Kim Nick

Procera: A Language for High-Level Reactive Network Control Andreas Voellmy Hyojoon Kim Nick Feamster Yale University, Georgia Tech, University of Maryland August 13, 2012 Static & Dynamic Network Policies Network operators want to

416 views • 20 slides
Fluid id-Stru ructure re I Intera raction on i in STAR-CC CCM+ Alan M Muelle ller CD

Fluid id-Stru ructure re I Intera raction on i in STAR-CC CCM+ Alan M Muelle ller CD

Fluid id-Stru ructure re I Intera raction on i in STAR-CC CCM+ Alan M Muelle ller CD CD-ada adapc pco What at is F is FSI SI? Air Interac action wit ith a a Flexible Struc uctur ture What at is F is FSI SI? Water/Air I

407 views • 39 slides
A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile

A Whirlwind Introduction to the Internet Internet Structure: Network of Networks Overview mobile network Whats the Internet Roughly Hierarchical At center: tier-1 ISPs (e.g., UUNet, Level 3, Sprint, AT&T), Network

953 views • 25 slides

More recommend