iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr - PowerPoint PPT Presentation

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 6 – 14ws 1

Outline IPv4 Address Allocation NAT DHCP 2

Outline IPv4 Address Allocation NAT DHCP 3

Internet Growth: IPv4 Address Allocation source: www.potaroo.net/tools/ipv4 4

IPv4 Address Allocation in 1996 source: xkcd.com/195 5

IPv4 Address Depletion since 1996 source: By Mro, CC-BY-SA, commons.wikimedia.org/wiki/File:Ipv4-exhaust.svg 6

Private IPv4 Address Space RFC 1918 reserves "private" IPv4 address ranges Implications ◮ anyone can use these IP addresses ranges in their own network ◮ addresses are not routed in the public Internet ◮ Internet access through address translation Address Ranges ◮ RFC 1918 reserves the following IPv4 address ranges ◮ 10.0.0.0/8 ◮ 172.16.0.0/12 ◮ 192.168.0.0/16 ◮ RFC 6598 reserves an additional range for ISP networks ◮ 100.64.0.0/10 ◮ RFC 4193 reserves an IPv6 address range ◮ fc00::/7 7

Outline IPv4 Address Allocation NAT DHCP 8

Providing Internet Access for Private IPs Server Private Host 131.159.15.49 192.168.1.42 ◮ outgoing packet: replace source with public endpoint 9

Providing Internet Access for Private IPs Server Private Host 131.159.15.49 192.168.1.42 ◮ outgoing packet: replace source with public endpoint ◮ incoming packet: replace destination with local host 9

Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.43 10

Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 10

Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint 10

Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint 10

Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint ◮ replace dst IP (and port) in incoming packets 10

NAT Implications Advantages ◮ effectively saves IP addresses: allows ∼ 65,000 simultaneous connections with a single public IP address ◮ address independence: public/private IP addresse can be changed independently ◮ topology hiding: devices inside local network are not explicitly addressable/visible from outside Problems ◮ connections can only be established from the local network ◮ routers should not manipulate packets above layer 2 (end-to-end principle) ◮ ports should not be used to address hosts 11

Protocols Affected by NAT characteristics of protocols that are affected by NAT (RFC 3027): ◮ realm-specific IP address information in payload ◮ e.g. SIP, FTP ◮ bundled session applications ◮ protocols using multiple connections, e.g. active FTP ◮ peer-to-peer applications / server located in local network ◮ any service behind NAT ◮ unsupported protocols ◮ e.g. SCTP, IPsec 12

Session Initiation Protocol (SIP) INVITE message: establish a session (e.g. VoIP call) between peers INVITE s i p : Callee@200 . 3 . 4 . 5 SIP /2.0 Via : SIP /2.0/UDP 192.168.1.5:5060 From : < s i p : Caller@192.168.1.5 > To : <s i p : Callee@200 .3.4.5 > CSeq : 1 INVITE Contact : <s i p : Caller@192 .168.1.5:5060 > Content − Type : a p p l i c a t i o n /sdp v=0 o=A l i c e 214365879 214365879 IN IP4 192.168.1.5 c=IN IP4 192.168.1.5 t= 0 0 m =audio 5200 RTP/AVP 0 9 7 3 a=rtpmap :8 PCMU/8000 a=rtpmap :3 GSM/8000 13

File Transfer Protocol (FTP) FTP uses ◮ a persistent control connection ◮ an on-demand data connection control connection data connection FTP Server FTP Client 14

Solutions ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ application layer gateway (ALG) ◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ hole punching ◮ private hosts try to establish a direct connection to each other ◮ relay ◮ public relay server forwards connections 15

Test your own Connection ◮ NAT Analyzer ◮ web-based test to understand NAT behavior ◮ nattest.net.in.tum.de ◮ Netalyzr ◮ web-based test or Android application ◮ more than 100 tests including NAT behavior ◮ netalyzr.icsi.berkeley.edu 16

The Situation Today full IPv6 deployment is going to take a while ◮ Google currently serves 4% of its users via IPv6 source: www.google.com/intl/en/ipv6/statistics.html ◮ 13.9% of the "Alexa Top 1000" websites are reachable via IPv6 source: www.worldipv6launch.org/measurements/ ISPs are running out of IPv4 adresses ◮ IANA address pool depleted on 03-Feb-2011 source: www.potaroo.net/tools/ipv4 ◮ growing number of subscribers dual-stack for every device is not feasible anymore ⇒ deployment of Large Scale NAT / Carrier Grade NAT 17

NAT 444 18

Dual Stack Lite 19

464XLAT / SIIT Stateless IP/ICMP Translation (SIIT) ◮ reserved IPv6 address range for IPv4-translated addresses ◮ ::ffff:0:0:0/96 Customer-side translation (CLAT) ◮ private IPv4 is translated into IPv6 using SIIT Provider-side translation (PLAT) ◮ translate IPv4-translated addresses back to IPv4 and perform NAT 20

Outline IPv4 Address Allocation NAT DHCP 21

Dynamic Host Configuration Protocol (DHCP) Design ◮ automated configuration of network configuration e.g. IP addresses, subnets, gateway, DNS server, etc. ◮ UDP based client-server protocol ◮ clients request an IP address ◮ servers lease IP addresses to clients for a certain amount of time Standardization ◮ first specified in RFC 1541 (1993) ◮ DHCPv6 (RFC 3315) is a stateful counterpart to SLAAC ◮ RFC 3633 adds prefix delegation 22

DHCP Process ◮ discover/solicit message : client announces its presence in the network (L2 broadcast) ◮ offer/advertise message : server(s) make a lease offer to the client. ◮ request message : client accepts an offer and requests the offered configuration (L2 broadcast) ◮ implicitly denies offers of other servers ◮ is also used to extend the lease of a currently used configuration ◮ acknowledge/reply message : server leases a configuration to the client 23

DHCPv6 Prefix Delegation ◮ extension enables the DHCPv6 server to assign prefixes ◮ RFC 3177 recommends that ISPs assign a /48 subnet to their customers (/64 in mobile networks) ◮ requesting router at the customer acts as DHCP client and requests to be assigned prefix(es) ◮ delegating router at the ISP acts as a DHCP server and assigns prefix(es) the requesting router 2001:0DB8::/64 delegating router requesting router 2001:DB8::/48 2001:0DB8:0000:0001::/64 24