iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 6 – 16ss 1 / 34
Motivation: IPv4 Address Scarcity source: http://www.heise.de/newsticker/meldung/RIPE-72-Streit-um-letzte-IPv4-Adressen-3221309.html 2 / 34
Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 3 / 34
Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 4 / 34
Yearly Address Allocations source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 5 / 34
Allocated Address Blocks source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 6 / 34
IPv4 Address Allocation in 2012 source: A. Dainotti et al., Estimating Internet address space usage through passive measurements, ACM Computer Communication Review (2014) 7 / 34
IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading 8 / 34
IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 8 / 34
IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 ◮ c) address sharing → NAT 8 / 34
a) IPv4 Address Market Address trading / company mergers ◮ in 2011 Microsoft bought 667K IPv4 addresses for 7.5M, that makes USD 11.25 per address source: http://www.theregister.co.uk/2011/03/24/microsoft_ip_spend ◮ in 2011 the bankrupt bookseller Borders offered 65K IPv4 addresses for USD 12 per address source: http://www.theregister.co.uk/2011/12/05/borders_flogs_ipv4_addys ◮ IPv4 Address Trading Portals e.g. http://addrex.net, http://www.iptrading.com, http://ipv4marketgroup.com Address pricing ◮ opaque, transactions not public ◮ further reading: Lee Howard, Internet Access Pricing in a Post-IPv4 Runout World, http://www.asgard.org/images/pricing_v1.3.docx 9 / 34
b) IPv6 Deployment ◮ IPv6 still accounts for < 1% of the Internet traffic, but IPv6 traffic grows by 400% each year source: J. Czyz et al., Measuring IPv6 Adoption, SIGCOMM’14 http://www.icir.org/mallman/pubs/CAZ+14/CAZ+14- talk.pdf https://www.google.com/intl/en/ipv6/statistics.html ◮ many ISPs already offer native IPv6: e.g. Deutsche Telekom, Kabel Deutschland, M-Net in Germany see: https://en.wikipedia.org/wiki/IPv6_deployment 10 / 34
b) IPv6 Deployment (cont.) source: https://blogs.akamai.com/2015/06/three-years-since-world-ipv6-launch-strong-ipv6-growth-continues.html 11 / 34
c) Address Sharing: Private IPv4 Address Ranges Properties ◮ anyone can use these IP address ranges in their own network ◮ addresses are not routed in the public Internet ◮ Internet access through address translation → NAT Address Ranges ◮ RFC 1918 reserves the following IPv4 address ranges ◮ 10.0.0.0/8 ◮ 172.16.0.0/12 ◮ 192.168.0.0/16 ◮ RFC 6598 reserves an additional range for ISP networks ◮ 100.64.0.0/10 ◮ RFC 4193 specifies Unique Local IPv6 addresses ◮ fc00::/7 12 / 34
Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 13 / 34
Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint 14 / 34
Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint Private Host Internet e.g. 192.168.1.42 ◮ incoming packet: replace packet destination with local host 14 / 34
Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34
Network Address (and Port) Translation (NAT) Packet src: 192.168.1.43:3345 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34
Network Address (and Port) Translation (NAT) Packet src: dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34
Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34
Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4:4444 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34
Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 1.2.3.4:4444 dst: 131.159.15.49:80 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint 15 / 34
Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 131.159.15.49:80 dst: 1.2.3.4:4444 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint 15 / 34
Network Address (and Port) Translation (NAT) NAT translation table Packet Packet L4 global endpoint local endpoint src: 131.159.15.49:80 src: 131.159.15.49:80 dst: 192.168.1.43:3345 dst: TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint ◮ replace dst IP (and port) in incoming packets 15 / 34
NAT in Practice Deployment ◮ today the majority of end users are located behind NAT (+ other middleboxes) ◮ no standardization of NAT → many different implementations ◮ transparent to the public Internet 16 / 34
NAT in Practice (contd.) Benefits ◮ effectively saves IP addresses: allows ∼ 65,000 simultaneous flows with a single public IP address ◮ address independence: public/private IP addresses can be changed independently ◮ topology hiding: devices inside local network are not explicitly addressable/visible from outside Problems ◮ connections can only be established from the local network ◮ ports should not be used to address hosts ◮ routers should not manipulate packets above layer 2 (end-to-end principle) 17 / 34
Protocols Affected by NAT characteristics of protocols that are affected by NAT (RFC 3027): ◮ server located in the local network ◮ any service behind NAT, peer-to-peer applications ◮ realm-specific IP address information in payload ◮ e.g. SIP, FTP ◮ bundled session applications ◮ protocols using multiple connections, e.g. active FTP ◮ unsupported protocols ◮ e.g. SCTP, IPsec 18 / 34
Example: Session Initiation Protocol (SIP) INVITE message: establish a session (e.g. VoIP call) between peers INVITE s i p : Callee@200 . 3 . 4 . 5 SIP /2.0 Via : SIP /2.0/UDP 192.168.1.5:5060 s r c : < s i p : Caller@192.168.1.5 > dst : <s i p : Callee@200 .3.4.5 > CSeq : 1 INVITE Contact : <s i p : Caller@192 .168.1.5:5060 > Content − Type : a p p l i c a t i o n /sdp v=0 o=A l i c e 214365879 214365879 IN IP4 192.168.1.5 c=IN IP4 192.168.1.5 t= 0 0 m =audio 5200 RTP/AVP 0 9 7 3 a=rtpmap :8 PCMU/8000 a=rtpmap :3 GSM/8000 19 / 34
Example: File Transfer Protocol (FTP) control connection FTP Server FTP Client FTP uses ◮ a persistent control connection 20 / 34
Example: File Transfer Protocol (FTP) data connection control connection FTP Server FTP Client FTP uses ◮ a persistent control connection ◮ an on-demand data connection e.g. PORT command for 10.0.0.1:1025 PORT 10 , 0 , 0 , 1 , 4 , 1 20 / 34
Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts 21 / 34
Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts ◮ application layer gateway (ALG) ◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device 21 / 34
Recommend
More recommend