Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Network Address Translation
Document related concepts
Net neutrality wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Net neutrality law wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Transcript
Network Address Translation EETS 8312 Internet and Intranet Engineering – Fall 2003 Southern Methodist University Dr Bernard Ku. EETS 8312 -- Internet and Intranet Engineering 1 Introduction Network Address Translation (NAT) is a method of connecting multiple computers with unregistered IP addresses to the internet (or any other IP network) using one or a group of registered IP addresses. NAT is defined in RFC 1631. It was called network address translator in that RFC but is also commonly known as network address translation. Address allocation for private networks is defined in RFC 1918. EETS 8312 -- Internet and Intranet Engineering 2 Topics of Discussion Why (NAT)? What problems does it solve? What are NAT’s advantages? What are NAT’s disadvantages? A subnet example without NAT. A subnet example using NAT. Other forms of NAT. Multi-homing EETS 8312 -- Internet and Intranet Engineering 3 Why (NAT)? What problems does it solve? NAT is a method of allowing multiple computers (or appliances) with unregistered IP addresses to access the Internet using one or a group of registered IP addresses. NAT’s increasing use is driven by: A world shortage of IP addresses. Security Needs. Ease and flexibility of network administration. EETS 8312 -- Internet and Intranet Engineering 4 World shortage of IP addresses Major cause of IP address shortage was too many addresses were passed out early on: MIT has 16,843,008 registered IP addresses. USC has 16,911,360 GE has 17,206,528 IBM has 17,542,656 AT&T has 19,800,320 … Had those in charge foreseen the present situation they would have been more frugal. EETS 8312 -- Internet and Intranet Engineering 5 What can be done? Redesign IP with a bigger address field. IPv6 is being worked on but it doesn’t help now. Take back vast quantities of addresses given out long ago. (This CAN’T happen). Figure out a way to stretch what we have as long as we can: CIDR (we already covered this in class) NAT EETS 8312 -- Internet and Intranet Engineering 6 Security Most view the Internet as one way; they forget not only is their computer connected to the Internet, the Internet is also connected to their computer. Important data residing on computers is at risk (credit card numbers, proprietary info, etc.) NAT automatically provides a firewall type protection without any special set-up. Hackers can ping the NAT enabled router but the subnets behind it are “hidden from view.” Some NAT routers provide for extensive filtering and traffic logging. Filtering used to restrict traffic (what sites can be viewed) Logging creates log files of sites visited. EETS 8312 -- Internet and Intranet Engineering 7 Network Administration Computers can be added or exchange without affecting external networks. Modern NAT gateways support DHCP. When a computer is switched on the NAT router assigns the private IP addresses automatically. Modern NAT gateways allow packet filtering. Modern NAT gateways have built in inter-network capability. The internetwork can be divided into several separate subnets. NAT can be installed incrementally, without changes to hosts or routers. EETS 8312 -- Internet and Intranet Engineering 8 What are NAT’s advantages? In summary, a NAT gateway can provide the following benefits: Firewall protection for the internal network. Protocol-level protection. Automatic client computer configuration control. Packet level filtering and routing. Facilitate scalable routing in a multi-homed network. EETS 8312 -- Internet and Intranet Engineering 9 What are NAT’s disadvantages? NAT takes away the end-to-end significance of the IP address (But this can be a security advantage). End-to-end IP address significance is made up for with increased state in the network – forwarding packets will take a little longer. EETS 8312 -- Internet and Intranet Engineering 10 Forms of NAT There are two forms of NAT – Dynamic NAT and Static NAT. Static NAT maps unregistered IP addresses to registered addresses on a one to one basis. Dynamic NAT maps unregistered IP addresses to a group of registered IP addresses dynamically. Overloading is a form of Dynamic NAT that maps multiple unregistered IP addresses to ONE registered IP address. The following example shows overloading: EETS 8312 -- Internet and Intranet Engineering 11 A subnet example without NAT EETS 8312 -- Internet and Intranet Engineering 12 Without NAT Computers and appliances are connected to modem using a hub. The ISP must provide a separate IP address for each device on the network. The Internet is connected to each of the devices exposing each device to attack. Some ISPs used to provide separate IP addresses for free but now many charge extra for each additional address. EETS 8312 -- Internet and Intranet Engineering 13 RFC 1918 While any addresses can be used for private networks RFC 1918 strongly recommends the following addresses be used: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 These addresses should never appear on the Internet. EETS 8312 -- Internet and Intranet Engineering 14 A subnet example using dynamic NAT with overloading EETS 8312 -- Internet and Intranet Engineering 15 With NAT (overloading) NAT enabled router (gateway) is connected to modem. ISP assigns IP address 198.76.29.17 to the NAT enabled router. Using DHCP, the NAT enabled router assigns an IP address in the 192.168.0.0 – 192.168.255.255 range to each device as they are switched on. A computer on the network can run software to configure the router if packet filtering or other configuration is required. Otherwise, the components can just be connected and they work. This is Dynamic NAT with overloading. EETS 8312 -- Internet and Intranet Engineering 16 Address Translation Source Address 192.16.11.17 Source Port 234 Destination Address 230.58.27.9 Destination Port 349 The above fields of the IP header completely defines a single TCP/IP connection. This is what the NAT enabled router sees when the computer with address 192.16.11.17 port 234 sends a packet to 230.58.27.9 port 349 through it. Source Address 198.76.29.17 Source Port 3 Destination Address 230.58.27.9 Destination Port 349 NAT inserts its IP address in the source address field and a unique port number into the source fields and the packet is sent. The IP address and port of the sending computer are saved in an address translation table. EETS 8312 -- Internet and Intranet Engineering 17 Address Translation Source Address 230.58.27.9 Source Port 349 Destination Address 198.76.29.17 Destination Port 3 When the above packet returns from the Internet, NAT looks up the IP address and port of the computer that sent the packet (saved in its address translation table) and replaces them in the destination address and port fields: Source Address 230.58.27.9 Source Port 349 Destination Address 192.16.11.17 Destination Port 234 The packet is then forwarded to the computer having IP address 192.16.11.17 (port 234). One can see how the internal computers are hidden. Pinging 198.76.29.17 pings the router. Internal IP addresses are never seen outside of the private network. Of course, many packets are sent and received independently. EETS 8312 -- Internet and Intranet Engineering 18 Other NAT Forms If static NAT were being used, the router would do the same substitution but would always substitute the same registered IP address for the computer on the private network. If dynamic NAT were being used without overloading, the router would dynamically substitute an IP address from a pool of registered addresses. EETS 8312 -- Internet and Intranet Engineering 19 Multi-homing Multi-homing is providing multiple points of access to the Internet through (possibly) multiple ISPs each assigning an IP address or range of addresses to the network. Multi-homing reduces the chance of shutdown if one connection fails. Multi-homing allows load-balancing by lowering the number of computers connecting to the Internet through any one connection. EETS 8312 -- Internet and Intranet Engineering 20 Multi-homing (continued) In a multi-homed network routers use Border Gateway Protocol (BGP) to route between networks using different protocols. The router uses Internal BGP on the stub domain ( private network ) side. The router uses External BGP to communicate with other routers. NAT can be used to facilitate scalable routing for multi-homed, multi-provider connectivity. EETS 8312 -- Internet and Intranet Engineering 21 Conclusion NAT offers a fast and effective way to expand secure Internet access into existing and new private networks (both home and business) without having to wait for IPv6. NAT offers security and greater network administrative flexibility than alternatives. NAT can be used to facilitate scalable routing for multihomed, multi-provider connectivity. NAT is becoming the de facto standard for shared access. EETS 8312 -- Internet and Intranet Engineering 22 References Network Address Translation www.safety.net/indnat.html 1996 Network Safety RFC 1631 – The IP Network Address Translator. www.faqs.org/rfcs/rfc1631.html May 1994 RFC 1918 – Address Allocation for Private Networks. www.faqs.org/rfcs/rfc1918.html Feb 1996 Vicomsoft white paper -www.vicomsoft.com/knowledge/reference/nat.html no date given How Network Translation Works www.computer.howstuffworks.com/nat.htm no date given EETS 8312 -- Internet and Intranet Engineering 23
