cit 384: network administrationslide #1 cit 384: network administration nat
TRANSCRIPT
CIT 384: Network Administration Slide #1
CIT 384: Network Administration
NAT
CIT 384: Network Administration Slide #2
Topics
1. IP Address Exhaustion
2. Solutions: CIDR, Reclamation, NAT, IPv6
3. Static NAT
4. Dynamic NAT
5. PAT
6. DHCP
CIT 384: Network Administration Slide #3
Address ClassesClass A: 0.0.0.0-127.255.255.255
8-bit net ID, 24-bit host ID224 – 2 hosts per network; 126 networks
Class B: 128.0.0.0-191.255.255.25516-bit net ID, 16-bit host ID216 – 2 hosts per network; 16,384 networks
Class C: 192.0.0.0-223.255.255.25524-bit net ID, 8-bit host ID(28 – 2) = 254 hosts per network; 2,097,152 networks
Class D: 224.0.0.0-239.255.255.25528-bit multicast group ID
Class E: 240.0.0.0-255.255.255.255Reserved for future use
CIT 384: Network Administration Slide #4
Public IP Addresses
ICANN assigns network numbers.– Internet Corporation for Assigned Network
Numbers.– ICANN gives authority to regional orgs, e.g.
ARIN (American Registry for Internet Numbers)– Typically to ISPs, universities, corporations.
ISP assigns IP addresses within network
CIT 384: Network Administration Slide #5
IPv4 Address Exhaustion
Classful addressing is wasteful– <1% of most class As are in use– Most class Bs aren’t fully used either.– All IP addresses were going to be used by 1990s.
Solutions– CIDR– NAT– IPv6
CIT 384: Network Administration Slide #6
CIDR
Classless Inter-Domain Routing– Classful routing wastes most IP addresses.– Allocate addresses on bit boundaries instead of
byte boundaries.– Allow ISPs/users to decide on boundaries
instead of basing on IP addresses.
Prefix notation– /x indicates that first x bits are shared.– 192.168.0.0/16 = 192.168.0.0 – 192.168.255.255
CIT 384: Network Administration Slide #7
IPv4 Address Conservation
Reclaim unused addresses– Some address blocks owned by companies that
are out of business.
Reclaim underused blocks– Take class As away from current owners, and
subdivide with CIDR.– Requires owners to renumber all machines.
Start using class E addresses– Windows TCP/IP stack can’t use class E addrs.
CIT 384: Network Administration Slide #8
NAT
Network Address Translation– Use RFC1918 private addresses internally.
– Use public IP addresses externally.
– Use router to translate between int + ext IP addresses.
Private IP Networks Network Class Count of Networks
10.0.0.0 A 1
172.16.0.0 through
172.31.0.0
B 16
192.168.0.0 through 192.168.255.0
C 256
CIT 384: Network Administration Slide #9
IPv4 vs IPv6 Addresses
Feature IPv4 IPv6
Size of Address 32 bits 128 bits
Example Address 10.1.1.1 0000:0000:0000:0000:FFFF:FFFF:0A01:0101
Abbreviated Address
- ::FFFF:FFFF:0A01:0101
Localhost 127.0.0.1 ::1/128
Possible Addresses
232 (~4 billion) 2128 (~3.4 x 1038)
CIT 384: Network Administration Slide #10
NAT Concepts
Uses public IP addr to represent private IP.– Translates source IP in outgoing packets.– Translates dest IP in incoming packets.– Router keeps table of translations.
CIT 384: Network Administration Slide #11
Static NAT
CIT 384: Network Administration Slide #12
Static NAT
Maps one internal IP to one external IP– Need one public IP for each private IP– Does not reduce # of IPv4 addresses needed
Applications– Useful if internal addresses overlap another
organization’s IP addresses.
CIT 384: Network Administration Slide #13
Cisco NAT Terminology
inside local: IP addresses used on internal network.inside global: public IP addresses that are used to
represent inside local addresses on the outside net.
CIT 384: Network Administration Slide #14
Cisco NAT Terminology
Inside local: Actual IP address assigned to a host in the private enterprise network.
Inside global: A NAT router changes source IP from inside local to inside global. Inside global addresses can be used for routing on the public network.
Outside global: Actual IP address assigned to a host that resides in the outside network.
Outside local: NAT can also translate outside global addresses to outside local addresses.
CIT 384: Network Administration Slide #15
Dynamic NAT
Creates one-to-one address mapping– Dynamic mapping on an as-needed basis.
– Mappings expire when not in use.
– Allows many internal hosts to use a small pool of n external addresses, as long as no more than n internal hosts need to access Internet at once.
Applications– IP address conservation.
– Useful if internal addresses overlap another organization’s IP addresses and limited external addresses.
CIT 384: Network Administration Slide #16
Dynamic NAT
CIT 384: Network Administration Slide #17
Dynamic NAT
1. Host 10.1.1.1 sends first pkt to 170.1.1.1.
2. Router adds NAT table entry.1. Router checks if NAT is needed or not. Since pkt is
from inside local to inside global, NAT is needed.
2. Router adds entry for inside local 10.1.1.1.
3. NAT router allocates IP from pool.1. Picks first available address (200.1.1.1)
2. Adds this inside global address to table entry.
4. NAT router translates source IP + forwards.
CIT 384: Network Administration Slide #18
Port Address Translation
Dynamic NAT saves some IP addresses– If 10% of machines use Internet at once, can use a
10:1 ratio of internal to external IP addresses.– DynamicNAT will deny access if too few ext IPs.– What if we could improve that by 216?
Rewrite source ports as well as source IPs.– Source port is random high port for outgoing pkts– Use diff src port for each connection to outside.– NAT table contains connections, not just IPs.
CIT 384: Network Administration Slide #19
Normal Port Usage
CIT 384: Network Administration Slide #20
PAT
NAT Table– Maps inside local IP address + port– to outside local IP address + port
CIT 384: Network Administration Slide #21
Bidirectional NAT
CIT 384: Network Administration Slide #22
Bidirectional NAT Applications
Translating overlapping IP ranges.– Useful during mergers or bad numbering.
Load balancing– Translate single server IP address to address of one of
many identical servers.
Failover– If server is down, add NAT entry to redirect to
replacement server.
Transparent proxying– Redirect HTTP connections for caching or security
reasons without configuring proxy in browser.
CIT 384: Network Administration Slide #23
NAT Complications
Checksum recalculation– Changing address field invalidates CRC.– Router recalculates IP + higher layer checksums.– Fragments must be reassembled too.
Layer mixing– Some apps (ftp) send network layer data in
application layer packets (port + IP for ftp.)– NAT must sniff packets to get this information,
then translate app layer data too.
CIT 384: Network Administration Slide #24
NAT Problems
NAT breaks some applications– Add complexity to router to fix important apps.– Other apps may remain broken.
NAT reduces performance– Especially due to features for special apps.
Breaks end-to-end nature of Internet– All hosts do not have equal access.– Limits ability to run servers and certain apps.
CIT 384: Network Administration Slide #25
DHCP
Dynamic Host Configuration Protocol– Standard introduced in 1993 with RFC 1531.– Replaced RARP and BOOTP.
Configures network params for clients.– IP address.– Default route.– Server addresses (DNS, NIS, tftp, etc.)– MTU, TTL, etc.
CIT 384: Network Administration Slide #26
DHCP Conversation
1. Client sends broadcast to discover DHCP svrs.
2. DHCP server broadcasts offer.
3. DHCP client broadcasts request telling server which IP addr it wants.
4. DHCP server acks request, notifying that IP addr reserved.
CIT 384: Network Administration Slide #27
Address Allocation
Dynamic– Host given “lease” on IP address for a specified
period of time.– Clients can release leases.– Clients can ask for lease to a specific IP addr.
Automatic– Address permanently assigned to client.
Manual– Address selected by the client.
CIT 384: Network Administration Slide #28
DHCP Security
Unauthorized servers– Any server can respond to DHCP broadcast.– Client typically uses first message received.– Malicious server can control client DNS, routes.
Unauthorized clients– Masquerade MAC address to pretend to be a
legitimate client to learn IP addresses of router and important servers.
DHCP authentication in RFC 3118
CIT 384: Network Administration Slide #29
References1. Neall Alcott, DHCP for Windows 2000, O’Reilly, 2001.2. James Boney, Cisco IOS in a Nutshell, 2nd edition,
O’Reilly, 2005. 3. Cisco, Cisco Connection Documentation,
http://www.cisco.com/univercd/home/home.htm4. Cisco, Internetworking Basics,
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm
5. Matthew Gast, 802.11 Wireless Networks: The Definitive Guide, O’Reilly, 2005.
6. Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007.