Recall Chapter 3

cursefarmΔίκτυα και Επικοινωνίες

24 Οκτ 2013 (πριν από 4 χρόνια και 16 μέρες)

85 εμφανίσεις

1

Recall Chapter 3
:

Figure 3.2

We need an addressing system that separately identifies the
destination network and the destination host

so that routers can forward on basis of destination network.

Each network needs a distinct network address.

2

Recall Chapter 4: every physical network has to have its own unique




IPv4 network address (class A, B, or C)

Figure 4.1

The classful system is rigid and wasteful of the IP address space.

Efforts to utilize the IPv4 address space more efficiently and delay
exhaustion:




1987 subnetting (chapter 9A)




1993 supernetting (chapter 9B)




2000 network address translation (chapter 19)

With the advent of Local Area Networks and growth of the Internet, it
became clear that the IPv4 address space would “soon” become
exhausted.

3

Chapter 9


Classless and Subnet Address Extensions

(CIDR)

9.3
Minimizing Network Numbers

We have been assuming that every
physical

network had its own class A, B, or C
IP network prefix.

UAB has class B network address 138.26.0.0

But there is clearly more than one
physical

network on campus!

9.5
Subnet Addressing


This became a required part of IP in 1987.


Individual sites have the freedom to modify addresses and routes as long as the
modifications remain invisible to other sites.

A site can choose to use IP addresses in unusual ways internally as long as:





all hosts and routers at the site agree to honor the site’s









addressing scheme;




other sites on the Internet can treat addresses as a network








prefix and a host suffix.

4

9.5
Subnet Addressing

-

continued

Example
:

Site with class B address 128.10.0.0 has two physical networks
-

subnets

Only router R knows that there are multiple physical
networks at the site and how to forward traffic among
them; all other routers in the Internet forward traffic as if
there were a single physical network at the site.

Figure 9.2








5

9.5
Subnet Addressing

-

continued


In this example the local site has chosen to use the third octet of
the address to distinguish between the two networks.

“Subnetting on the basis of the 3rd octet”

6

9.5
Subnet Addressing



continued

Relationship to original “classful” addressing system

Figure 9.3

Original classful
IP addressing

With subnet
addressing

Hierarchical routing
:

Routers in other autonomous systems use only the Internet part;

Routers within this autonomous system also use the additional octet;

Final delivery to host also uses the remaining octet.

subnet

7

9.6
Flexibility in Subnet Assignment

Subnetting on the basis of the third octet is not the only possibility.
Consider this
intra
net:

Figure 9.4

Need 5 subnets
-

How could subnet addressing be performed?








8

9.6
Flexibility in Subnet Assignment



continued

The number of bits allocated to the subnet can be chosen to fit the situation.

Slice up the pie for a class
-
B address:

9

In this example, allocating 3 bits would allow 6 subnets (2
3



2), each
with up to 8190 (2
13



2) hosts.

(
-
2 because we do not assign all
-
zeros or all
-
1s to hosts or subnets)

Figure 9.4








10

9.8
Implementation of Subnets with Masks

The division of the 32
-
bit IP address for subnetting is controlled by the







32
-
bit
subnet mask
or

address mask

Network + subnet part

Host part

We use dotted decimal notation to represent this as



255 . 255 . 255 . 0

To extract the (network + subnet) part of an IP destination
address (as needed for routing within intranet):



<destination IP address> .AND. <subnet mask>

For example, subnetting on the basis of the third octet is represented by



11111111 11111111 11111111 00000000

11

Recall from chapter 7


Forwarding IP Datagrams
:

Figure 7.2

12

9.11
The Subnet Forwarding Algorithm

Before subnetting, the rows of the routing table contained duples



<destination network address> <next hop>

We extracted the destination network address from the 32
-
bit datagram
destination address by looking at the first 1, 2, or 3 bits, to identify if the
destination host was connected to a class A, B, or C network.

With subnetting it is no longer possible for internal routers to deduce
the destination network address on the basis of the datagram
destination address alone.


We have to expand our routing table rows to triples



<address mask>

<destination network address> <next hop>


and revise the forwarding algorithm used in the intranet.

13

9.12
A Unified Forwarding Algorithm

Recall the Chapter 7 forwarding algorithm:

Figure 7.3

This algorithm has to be modified to account for subnetting.

Before subnetting
we could
determine N from
destination IP
address alone

14

9.12
A Unified Forwarding Algorithm



continued

Figure 9.7

Only the internal routers have to be modified, since
subnetting is invisible to outsiders.

New step

This also needs
to be ANDed
with the
address mask

15

9.12
A Unified Forwarding Algorithm

Recall the Chapter 7 forwarding algorithm:

Figure 7.3

What happened to these special cases?

16

9.12
A Unified Forwarding Algorithm



continued

What happened to the special cases in figure 7.3?


Default route: use address mask 0 . 0 . 0 . 0


with destination network address 0 . 0 . 0 . 0



table row will be



<address mask> <destination network address> <next hop>



0 . 0 . 0 . 0


0 . 0 . 0 . 0


next hop for









default route



(because any I
D

ANDed with 0 . 0 . 0 . 0 gives 0 . 0 . 0 . 0)



Default route must be last row in forwarding table.

Host
-
specific route: use address mask 255.255.255.255

17

Figure 9.4

.254

.253

.252

.254

.253

.252

Class B address
138.26.0.0

All subnet masks
255.255.255.0

138.26.1.0

138.26.2.0

.1

138.26.3.0



18

9.13
Maintenance of Subnet Masks

Subnet masks are assigned by the network administrator.


19

9.14
Broadcasting to Subnets


Recall special forms of IP address from chapter 4:

Following this, we interpret an IP address


<network part> <subnet part> 111…11

as indicating broadcast to all hosts on <subnet>

Figure 4.4

20

9.15
Anonymous Point
-
to
-
Point Networks

A typical situation for a router in a wide
-
area network is that once an exit
interface has been chosen, there is only one possible destination.

In this situation we don’t need to waste an IP network prefix

and don’t need to ARP.

21

9.15
Anonymous Point
-
to
-
Point Networks

-

continued


Figure 9.8(b) routing table in R1

There is no need for a “next hop”


the exit interface is sufficient.





22

NAT provides IP
-
level access between hosts at a site and the rest of the
Internet, without requiring each host at the site to have a globally
-
valid IP
address (can use private, non
-
unique addresses eg. 192.168.1.1 )

Allows an internal host to access service on an external computer.

The site must have a single router, with at least one globally
-
valid IP
address, G, connecting to the Internet. This router runs the NAT software.

Chapter 19


Private Network Connection

(NAT, VPN)

All datagrams pass through the “NAT box” on their way
to or from the Internet.

19.6
Network Address Translation

Like subnetting, NAT was motivated by a shortage of IPv4 addresses

23

Outgoing datagrams: NAT replaces the (private) source address with G

NAT

24

Reply datagram will arrive at G
-

how does router/NAT know which internal
host should receive the datagram?

NAT maintains a translation table that it uses to perform the mapping.

Entry in table:


IP address of the external server, IP address of internal client

NAT

NAT converts destination address G to private address 192.168.1.1
and forwards the datagram.

25


19.7
NAT Translation Table Creation


How is the translation table constructed? 3 possibilities:





Manual Initialization




Outgoing Datagrams




this is the “classic” method


when datagram arrives at the



internal NAT interface, the router records the (internal)




source address and the (external) destination address.



This method does not allow contact to be initiated from outside







(may not be a bad thing


security)




Incoming Name Lookups



table is built as a side
-
effect of handling incoming DNS lookups



(possible only if organization is running a DNS server and is






willing to have external access).







26

19.7
NAT Translation Table Creation



continued

“Outgoing datagram” method popular among ISPs

Figure 19.4

27

19.8
Multi
-
Address NAT

Problem: What if two internal hosts are accessing the same
external server at the same time?

Translation table, with entries



IP address of the external server, IP address of internal client

will be ambiguous.

First idea: NAT box has a set of globally
-
valid IP addresses,




G
1

.. G
K


Up to K internal clients can access the same server at the
same time.

28

19.9
Port
-
Mapped NAT

Network Address and Port Translation (NAPT) is a better solution.

Outgoing datagrams: NAPT substitutes both source IP address and
source port.

Inside client

Outside server

Figure 19.5
-

reduced

29

30

19.9
Port
-
Mapped NAT

-

continued

Since ports are 16
-
bit quantities, NAPT allows up to 2
16
internal client to access the same external server at the
same time.

In our implementation in the lab, the NAT box does not
substitute a source port unless two internal clients
accidentally choose the same random client port number.

31

NAPT gets router involved in layer 4!

(looking inside “data” in IP datagram, not just header)

Transport

32

19.10
Interaction between NAPT and ICMP

NAPT uses the port number to identify the client.

ICMP is layer 3, so does not have a port number.

So how can PING, or ICMP error messages, work through a NAT box?

33

19.10
Interaction
between NAPT and
ICMP



continued

PING

What does the NAT box do?

34

19.10
Interaction between NAT and ICMP



continued

Format for echo request/ echo reply:

Although there is no port number that can be used, there is the
IDENTIFIER field.

This contains a 16
-
bit number chosen randomly by the requestor.

RFC 2663 states that this is used by NAT, in place of a port number, to
route the echo reply back to the requestor over the intranet.


35

19.10
Interaction between NAT and ICMP



continued

What about ICMP error messages, such as “destination unreachable”?
Situation with NO NAPT

Outer IP Datagram






Inner IP Datagram

36

IP: source = R, dest = G

ICMP type 3

Inner datagram

IP: source = G, dest = W

TCP: source port = y, dest = 80

19.10
Interaction between NAT and ICMP



continued

IP: source = S, dest = W

TCP: source port = x, dest =80

IP: source = G, dest = W

TCP: source port = y, dest = 80

IP: source = R, dest = G

ICMP, Not TCP!

G,W,y,80



S,W,x,80

IP: source = R, dest = S

ICMP type 3

Inner datagram

IP: source = S, dest = W

TCP: source port = x, dest = 80

Need this!

Have this!

37

19.10
Interaction
between NAT
and ICMP



continued

NAPT has to “drill down” into inner datagram to retrieve source port y,

and original destination W, then do table lookup to find that the ICMP
message should be forwarded to S.







Inner Datagram



38

19.10
Interaction between NAT and ICMP



continued

Before forwarding the ICMP “destination unreachable” message to the
sender of the original datagram, NAT must translate the addresses in
the ICMP message so that they are exactly the same as in the original
datagram.

Then recompute the checksum in the ICMP header, then recompute the
checksum in the outer IP datagram header.

39

To provide a meaningful ICMP “destination unreachable” to the original
sender of the datagram, the NAT box must:




Translate the source address in the “inner” datagram




Translate the source port in the “inner” datagram




Recompute the header checksum in the “inner” datagram




Recompute the ICMP header checksum



19.10
Interaction between NAT and ICMP



continued




translate the destination IP address in the “outer” header





Recompute the header checksum in the “outer” header.

40

19.11
Interaction between NAT and Applications


Applications cause problems if they send IP addresses or protocol ports
as data.

e.g. FTP (active mode):

Frame from Ethereal trace captur2a.ftp

Frame 25

Ethernet II

Internet Protocol


Protocol: TCP (0x06)


Header checksum: 0xb213 (correct)


Source: 192.168.1.1 (FTP Client)


Destination: 192.168.1.2 (FTP Server)

Transmission Control Protocol


Source port: 1388


Destination port: ftp (21)

File Transfer Protocol (FTP)


Request: PORT


Request Arg: 192,168,1,1,5,109




[Port information transmitted in ASCII]



41

19.11
Interaction between NAT and Applications

-

continued

NAT

Active mode FTP does not work with NAT for
internal client, external server,

42

Fixing FTP in active mode would require the router to
“drill down” all the way to the FTP message.

Transport

FTP message

43

19.11
Interaction between NAT and Applications

-

continued

NAT

FTP in passive does work between internal client and external server

(confirmed by RFC 2663)

44

19.12
NAT in the Presence of Fragmentation

NAPT cannot work with fragmented datagrams, since
only the first fragment will contain the TCP or UDP
header, with the port numbers.

45

19.13
Conceptual Address Domains

“We have described NAT as a technology that can be used to
connect a private network to the global internet.

In fact, NAT can be used to connect any two
address domains
.”

This leads to multiple levels of NAT.

46

19.13
Conceptual
Address
Domains

-

continued

47

19.14
Slirp and iptables

iptables supports packet rewriting and firewalling.

We use iptables in lab session #5 to construct packet filters.

NAT or NAPT can be constructed using iptables rules.