ilab
play

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr - PowerPoint PPT Presentation

Jan 07, 2023 •229 likes •784 views

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

  1. iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 6 – 16ss 1 / 34

  2. Motivation: IPv4 Address Scarcity source: http://www.heise.de/newsticker/meldung/RIPE-72-Streit-um-letzte-IPv4-Adressen-3221309.html 2 / 34

  3. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 3 / 34

  4. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 4 / 34

  5. Yearly Address Allocations source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 5 / 34

  6. Allocated Address Blocks source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 6 / 34

  7. IPv4 Address Allocation in 2012 source: A. Dainotti et al., Estimating Internet address space usage through passive measurements, ACM Computer Communication Review (2014) 7 / 34

  8. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading 8 / 34

  9. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 8 / 34

  10. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 ◮ c) address sharing → NAT 8 / 34

  11. a) IPv4 Address Market Address trading / company mergers ◮ in 2011 Microsoft bought 667K IPv4 addresses for 7.5M, that makes USD 11.25 per address source: http://www.theregister.co.uk/2011/03/24/microsoft_ip_spend ◮ in 2011 the bankrupt bookseller Borders offered 65K IPv4 addresses for USD 12 per address source: http://www.theregister.co.uk/2011/12/05/borders_flogs_ipv4_addys ◮ IPv4 Address Trading Portals e.g. http://addrex.net, http://www.iptrading.com, http://ipv4marketgroup.com Address pricing ◮ opaque, transactions not public ◮ further reading: Lee Howard, Internet Access Pricing in a Post-IPv4 Runout World, http://www.asgard.org/images/pricing_v1.3.docx 9 / 34

  12. b) IPv6 Deployment ◮ IPv6 still accounts for < 1% of the Internet traffic, but IPv6 traffic grows by 400% each year source: J. Czyz et al., Measuring IPv6 Adoption, SIGCOMM’14 http://www.icir.org/mallman/pubs/CAZ+14/CAZ+14- talk.pdf https://www.google.com/intl/en/ipv6/statistics.html ◮ many ISPs already offer native IPv6: e.g. Deutsche Telekom, Kabel Deutschland, M-Net in Germany see: https://en.wikipedia.org/wiki/IPv6_deployment 10 / 34

  13. b) IPv6 Deployment (cont.) source: https://blogs.akamai.com/2015/06/three-years-since-world-ipv6-launch-strong-ipv6-growth-continues.html 11 / 34

  14. c) Address Sharing: Private IPv4 Address Ranges Properties ◮ anyone can use these IP address ranges in their own network ◮ addresses are not routed in the public Internet ◮ Internet access through address translation → NAT Address Ranges ◮ RFC 1918 reserves the following IPv4 address ranges ◮ 10.0.0.0/8 ◮ 172.16.0.0/12 ◮ 192.168.0.0/16 ◮ RFC 6598 reserves an additional range for ISP networks ◮ 100.64.0.0/10 ◮ RFC 4193 specifies Unique Local IPv6 addresses ◮ fc00::/7 12 / 34

  15. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 13 / 34

  16. Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint 14 / 34

  17. Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint Private Host Internet e.g. 192.168.1.42 ◮ incoming packet: replace packet destination with local host 14 / 34

  18. Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34

  19. Network Address (and Port) Translation (NAT) Packet src: 192.168.1.43:3345 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34

  20. Network Address (and Port) Translation (NAT) Packet src: dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  21. Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  22. Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4:4444 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  23. Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 1.2.3.4:4444 dst: 131.159.15.49:80 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint 15 / 34

  24. Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 131.159.15.49:80 dst: 1.2.3.4:4444 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint 15 / 34

  25. Network Address (and Port) Translation (NAT) NAT translation table Packet Packet L4 global endpoint local endpoint src: 131.159.15.49:80 src: 131.159.15.49:80 dst: 192.168.1.43:3345 dst: TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint ◮ replace dst IP (and port) in incoming packets 15 / 34

  26. NAT in Practice Deployment ◮ today the majority of end users are located behind NAT (+ other middleboxes) ◮ no standardization of NAT → many different implementations ◮ transparent to the public Internet 16 / 34

  27. NAT in Practice (contd.) Benefits ◮ effectively saves IP addresses: allows ∼ 65,000 simultaneous flows with a single public IP address ◮ address independence: public/private IP addresses can be changed independently ◮ topology hiding: devices inside local network are not explicitly addressable/visible from outside Problems ◮ connections can only be established from the local network ◮ ports should not be used to address hosts ◮ routers should not manipulate packets above layer 2 (end-to-end principle) 17 / 34

  28. Protocols Affected by NAT characteristics of protocols that are affected by NAT (RFC 3027): ◮ server located in the local network ◮ any service behind NAT, peer-to-peer applications ◮ realm-specific IP address information in payload ◮ e.g. SIP, FTP ◮ bundled session applications ◮ protocols using multiple connections, e.g. active FTP ◮ unsupported protocols ◮ e.g. SCTP, IPsec 18 / 34

  29. Example: Session Initiation Protocol (SIP) INVITE message: establish a session (e.g. VoIP call) between peers INVITE s i p : Callee@200 . 3 . 4 . 5 SIP /2.0 Via : SIP /2.0/UDP 192.168.1.5:5060 s r c : < s i p : Caller@192.168.1.5 > dst : <s i p : Callee@200 .3.4.5 > CSeq : 1 INVITE Contact : <s i p : Caller@192 .168.1.5:5060 > Content − Type : a p p l i c a t i o n /sdp v=0 o=A l i c e 214365879 214365879 IN IP4 192.168.1.5 c=IN IP4 192.168.1.5 t= 0 0 m =audio 5200 RTP/AVP 0 9 7 3 a=rtpmap :8 PCMU/8000 a=rtpmap :3 GSM/8000 19 / 34

  30. Example: File Transfer Protocol (FTP) control connection FTP Server FTP Client FTP uses ◮ a persistent control connection 20 / 34

  31. Example: File Transfer Protocol (FTP) data connection control connection FTP Server FTP Client FTP uses ◮ a persistent control connection ◮ an on-demand data connection e.g. PORT command for 10.0.0.1:1025 PORT 10 , 0 , 0 , 1 , 4 , 1 20 / 34

  32. Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts 21 / 34

  33. Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts ◮ application layer gateway (ALG) ◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device 21 / 34

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 10 16ss 1 / 32 Oral attestations available dates Friday,

521 views • 33 slides
iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de

iLab TCP / UDP Minoo Rouhi rouhi@net.in.tum.de Slides by Florian Wohlfart wohlfart@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 4 17ws 1 / 43 Outline Meta

1.55k views • 57 slides
iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Basics Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 1 15ss 1 Outline Internet protocol architecture MAC addresses Internet protocol

241 views • 21 slides
iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce

iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iL iLab ab Lab 1+2 The Basics / Static Routing Consultation hours We will introduce consultation hours Starting next week

632 views • 41 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 14ss 1 Outline Cryptography

780 views • 54 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 15ws 1 / 72 Outline Cryptography

903 views • 88 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

504 views • 46 slides
ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 7 Basics of Cryptography / Security I Testate 2 nd Half of Term This lecture is divided into two halves: Basics of

935 views • 51 slides

More recommend