Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Internet protocol suite wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Net neutrality law wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
VPN and NAT • We have been viewing the Internet as a collection of interconnected networks • In reality, many organizations have private internets interconnected by the Internet Organization A’s private network Internet Organization B’s private network A Single-Level Internet • A collection of interconnected networks: A Single-Level Internet (cont) • Problem: privacy Site 1 of Organization A Internet Site 2 of Organization A Solution #1 • A private network – an isolated TCP/IP internet separate from the Internet – Can use arbitrary IP addresses (usually private IPs) Organization A’s private network Internet Solution #2 • A hybrid network: – Use globally valid IP addresses – Internal hosts can communicate with hosts on the Internet – Communications among internal hosts are private Solution #3 • A Virtual Private Network (VPN): – Communication between any pair of computers in the VPN remains private – Virtual – uses the Internet to carry traffic from one part of the VPN to another VPN tunnel Site 1 of Organization A Internet Site 2 of Organization A A Virtual Private Network • How it works: – Tunneling: agreement by two routers to exchange datagrams • IP-in-IP encapsulation – Encryption: the encapsulated datagram is scrambled so that intermediate hosts/routers cannot read it VPN – Addressing and Routing • A hybrid network • The VPN tunnel replaces the leased circuit VPN – Addressing and Routing (cont) • Example: a datagram from 128.10.2.0 to 128.210.0.0: – Sent to R2, then R1, then tunneled to R3, then R4 Distributed Private Network • VPN can be used to create a distributed private network: – Internal hosts are isolated from Internet – Hosts can be assigned private addresses – Each site needs one globally valid IP address for tunneling Distributed Hybrid Network • Internal hosts can communicate with hosts on the Internet • Communications among internal hosts are private • How to make it work? Application Gateways • An application gateway is a program that acts as a middleman for a particular service • Typically run on multi-homed host that is the gateway between internal hosts and the Internet – Internal hosts send requests to the application gateway – Application gateway passes the request to the destination host – Destination host sends reply to the application gateway – Application gateway passes reply to originating internal host Application Gateways • Advantage: – Does not require changes to: • The network infrastructure • The addressing scheme • Disadvantage: – Not general: • Each application gateway handles a specific service • A different application gateway program is required for each different service Network Address Translation • Network Address Translation (NAT) is software that translates addresses in incoming and outgoing datagrams – P = private address – G = globally-valid IP address Organization A’s private network P NAT box G Internet NAT (cont) • The NAT box acts as a middleman between internal and external hosts: – Outgoing datagrams: • Source IP address is replaced with G – Incoming datagrams: • Destination IP address is replaced with the private IP address of the correct host – How does the NAT box know which is the “correct” host when it receives a reply from an external host? NAT Translation Table • The NAT software maintains a translation table that tells it what internal hosts are communicating with what external hosts External IP Address Internal IP Address 134.126.24.210 10.1.0.1 134.126.14.32 10.1.0.3 134.126.8.7 10.2.0.2 134.126.43.111 10.1.0.8 • When a datagram arrives from 134.126.14.32 the destination adress should be translated to 10.1.0.3 Translation Table Initialization • How (and when) are entries placed in the translation table? – Manually • Good: permanent mappings, connections can originate either inside or outside • Bad: difficult to maintain Translation Table Initialization (cont) • How (and when) are entries placed in the translation table? – During translation of outgoing datagrams • Good: automatic • Bad: external hosts cannot initiate connections Translation Table Initialization (cont) • How (and when) are entries placed in the translation table? – In response to an incoming name lookup • Good: – Automatic – External hosts can initiate connections • Bad – Requires modification to DNS server software – External hosts must perform a name lookup prior to sending datagrams to internal hosts Shortcoming of NAT Translation Table • What if two different internal hosts want to communicate with the same external host (134.126.24.210)? – Not clear which one to send replies to: External IP Address Internal IP Address 134.126.24.210 10.1.0.1 134.126.14.32 10.1.0.3 134.126.24.210 10.2.0.2 134.126.43.111 10.1.0.8 Network Address Port Translation • Network Address Port Translation (NAPT) expands the table to include additional fields: • Note: two internal hosts (10.0.0.5 and 10.0.0.1) are both accessing port 80 on 128.10.19.20 – NAPT translates both addresses and ports to avoid ambiguity Network Address Port Translation (cont) • Note: both the IP address and the port number are translated: – Datagrams from port 21023 on 10.0.0.5 are sent to 128.10.19.20 as if they came from port 14003 on the NAT box – Replies from 128.10.19.20 to port 14003 on the NAT box are forwarded to 10.0.0.5 – Datagrams from port 386 on 10.0.0.1 are sent to 128.10.19.20 as if they came from port 14010 on the NAT box – Replies from 128.10.19.20 to port 14010 on the NAT box are forwarded to 10.0.0.1 NAT (cont) • Advantages: – General: internal hosts can access an arbitrary service on an external host – Transparent to internal and external hosts – Helps conserve IP addresses – Shields internal host IP addresses • Disadvantage: – Interaction with higher-layer protocols • ICMP • FTP Summary • A Virtual Private Network (VPN) sends data across the Internet, but encrypts intersite transmissions to guarantee privacy • Network Address Translation (NAT) provides transparent IP-level access to the Internet from a host with a private address – There are variants of NAT, including Network Address Port Translation (NAPT) which translates protocol port numbers as well as IP addresses