Outline The IP protocol 15-441/641: Computer Networks IPv4 The - PowerPoint PPT Presentation

9/16/2019 Outline • The IP protocol 15-441/641: Computer Networks • IPv4 The Internet Protocol • IPv6 Fall 2019 Profs Peter Steenkiste & Justine Sherry • IP in practice • Network address translation • Tunnels • ARP https://computer-networks.github.io/fa19/ 2 How have we made it so far with IPv4? How about a Magic Box? • Original IP Model: Every host has unique IP address C: Client • This has very attractive properties … S: Server S • Any host can communicate with any other host C Corporation X ??? • Any host can act as a server: just advertise IP and port number • … but the system is open – complicates security C C Internet • Any host can attack any other host • It is easy to forge packets: just use invalid source address • Not enough IP addresses for every host in organization • … and it places pressure on the address space Increasingly hard to get large address blocks • • Security • Every host requires “public” IP address Don’t want every machine in organization known to outside world • • There are at most 4.2 billion IPv4 addresses! Want to control or monitor traffic in / out of organization • 3 4 1

9/16/2019 Reducing Address Use: Not All Hosts are Equal! Network Address Translation C: Client S: Server • Within organization: assign 10.1.1.1 C: Client S C each host a private IP address C Corporation X NAT • IP address blocks 10/8 & Corporation X NAT 192.168/16 are private 10.2.2.2 C Corporation X C Internet C 10.3.3.3 • Used for routing within the C Internet organization by IP protocol • Most machines within organization are used by individuals • Can do subnetting, .. • They always act as clients • The NAT translates between public and private IP addresses as packets travel • Only a small number of machines act as servers for the organization to/from the Internet • E.g., mail server, web, .. • It does not let any packets from internal nodes “escape” • All traffic to outside passes through firewall • Outside world does not need to know about internal addresses (Most) machines within organization do not need public IP addresses! 5 6 NAT: Client Request NAT: Opening Client Connection C: Client C: Client NAT has public IP address C: Client S: Server C: Client 243.4.4.4 Internet S: Server 243.4.4.4 Corporation X NAT Internet S NAT Corporation X 10.5.5.5 10.2.2.2 198.2.4.5:80 10.2.2.2 S 10.2.2.2:1000 198.2.4.5:80 C 10.2.2.2:1000 C source: source: 10.2.2.2 243.4.4.4 • Client 10.2.2.2 wants to connect to server 198.2.4.5:80 dest: 198.2.4.5 dest: 198.2.4.5 src port: 1000 src port: 5000 • OS assigns ephemeral port (1000) dest port: 80 dest port: 80 • Connection request intercepted by firewall • NAT acts as proxy for client Int Addr Int Port NAT • Maps client to port of firewall (5000) Int Addr Int Port NAT Port Port • Intercepts message from client and • Creates NAT table entry 10.2.2.2 1000 5000 10.2.2.2 1000 5000 marks itself as sender 7 8 2

9/16/2019 NAT: Server Response Client Request Mapping Private network: Public Internet: C: Client C: Client source: 10.2.2.2 source: 243.4.4.4 S: Server 243.4.4.4 Internet src port: 1000 src port: 5000 Corporation X NAT S dest: 198.2.4.5 dest: 198.2.4.5 10.5.5.5 10.2.2.2 198.2.4.5:80 dest port: 80 dest port: 80 10.2.2.2:1000 C • NAT manages mapping between two four-tuples • Mapping must be unique: one to one source: 198.2.4.5 source: 198.2.4.5 dest: dest: 10.2.2.2 243.4.4.4 • Must respect practical constraints src port: 80 src port: 80 dest port: 1000 dest port: 5000 Cannot modify server IP address or port number • • NAT acts as proxy for client Client NAT has limited number of IP addresses, often 1 • Int Addr Int Port NAT Port • Acts as destination for server messages Mapping client port numbers is important! • 10.2.2.2 1000 5000 • Relabels destination to local addresses • Mapping must be consistent: the same for all packets in the session 9 10 NAT: Enabling Servers NAT Benefits • They significantly reduce the need for public IP addresses 10.3.3.3 C: Client S • NATs directly help with security S: Server 243.4.4.4 Internet Hides IP addresses used in internal network • Corporation X NAT C 10.5.5.5 10.2.2.2 Basic protection against external attack 198.2.4.5:80 • 10.2.2.2:1000 C Does not expose internal structure to outside world • Can easily control what packets come in and out of system • Can reliably determine whether packet from inside or outside • • Use port mapping to make servers available • And NATs have many additional benefits • Manually configure NAT table to include entry for well-known port Easy to change ISP: only NAT box needs to have a public IP address • • External users give address 243.4.4.4:80 NAT boxes make home networking simple • • Requests forwarded to server Int Addr Int Port NAT Port Can be used to map between addresses from different address families, e.g, IPv4 • 10.3.3.3 80 80 and IPv6 11 12 3

9/16/2019 Principle: Fate Sharing NAT Challenges Connection • NAT has to be consistent during a session. State State No State • Mapping (hard state) must be maintained during the session Recall Goal 1 of Internet: Continue despite loss of networks or gateways • “You can lose state information relevant to an entity’s connections if and only if • • Recycle the mapping after the end of the session the entity itself is lost” Example: OK to lose TCP state if either endpoint crashes May be hard to detect when a session is really over • • The TCP connection is no longer useful anyway! • NATs only works for certain applications. • It is NOT okay to lose the connection if an unrelated entity goes down • • Some applications (e.g. ftp) pass IP information in payload - oops Example: if an intermediate router reboots • • Need application level gateways to do a matching translation NATs violate this principle: if it goes down, all communication session are lost! • • NATs are a problem for peer-peer applications Unless you add redundancy and put state in persistent storage • Bad news: many stateful “middleboxes” violate this rule • File sharing, multi-player games, … Everyone is a server! • Firewalls, mobility services, … - more on this later • Need to “punch” hole through NAT • Good news: today’s hardware is very reliable • 13 14 Outline Motivation Tunneling There are cases where not all routers have the same features • The IP protocol • An experimental IP feature is only selectively deployed – how do we • IPv4 use this feature end-to-end? • E.g., IP multicast • IPv6 • A few are using a protocol other than IPv4 – how can they communicate? • IP in practice • E.g., incremental deployment of IPv6 • Network address translation • I am traveling with a CMU laptop - how can I can I keep my CMU IP address? • Tunnels • E.g., must have CMU address to use some internal services • ARP (next lecture) 15 16 4

9/16/2019 Tunneling - Concept IP-in-IP Tunneling • Force a packet to go to a specific point in IP1 V/HL TOS Length upgraded • Described in RFC 1993. the network. ID Flags/Offset legacy • IP source and destination address Cannot rely on routers on the regular path • TTL 6 H. Checksum identify tunnel endpoints. • Achieved by adding an extra IP header to Tunnel Entry IP the packet with a new destination • Protocol id = 4. Tunnel Exit IP IP2 address. Just an example: IPv4 • V/HL TOS Length Similar to putting a letter in another envelope • Could be “6” for IPv6 ID Flags/Offset • preferable to IP source routing • • Several fields are copies of the TTL Prot. H. Checksum • Used increasingly to deal with special inner-IP header. Source IP address routing requirements or new features. Destination IP address = Data IP1 IP2 TOS, some flags, .. • Mobile IP,.. • • Inner header is not modified, = Data IP1 Payload Multicast, IPv6, research, .. except for decrementing TTL. • Tunneling Example Tunneling Applications • Virtual private networks. tunnel • Connect subnets of a corporation using IP tunnels • Often combined with IP Sec (later) A B C D E F G H I J K L • Support for new or unusual protocols. • Routers that support the protocols use tunnels to “bypass” routers that do not support it a  b e  f k  l • E.g. multicast, IPv6 (!) A  L C  H A  L • Force packets to follow non-standard routes. A  L Payload Payload • Routing is based on outer-header Payload • E.g. mobile IP (later) 19 20 5

9/16/2019 Extending Private Network C: Client V/HL TOS Length S: Server ID Flags/Offset S 243.4.4.4 C 10.6.6.6 198.3.3.3 TTL 4 H. Checksum VPNS C Corporation X 198.3.3.3 10.X.X.X 10.1.2.3 C C Internet 234.4.4.4 S 197.2.2.2 V/HL TOS Length ID Flags/Offset Employee works remotely with local address 198.3.3.3 • TTL Prot. H. Checksum Wants to appear as if working internally • 10.6.6.6 Establishes Virtual Private Network (VPN) – “tunnel” • 197.2.2.2 Receives internal address 10.6.6.6 through tunnel • Payload Encapsulation forces packets through corporate network • Provides access to internal/external services • 21 6