Presentation is loading. Please wait.

Presentation is loading. Please wait.

The University of Sydney 1 PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 NETS3303/3603 Week 7.

Similar presentations


Presentation on theme: "The University of Sydney 1 PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 NETS3303/3603 Week 7."— Presentation transcript:

1 The University of Sydney 1 PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 NETS3303/3603 Week 7

2 The University of Sydney 2 Expected outcomes Need for VPN How NAT also addressed address shortage Motivation for IPv6 –What’s wrong with IPv4 –How does IPv6 address this What else does IPv6 introduce Knowing about issues with transition from v4 to v6

3 The University of Sydney 3 Definitions An internet is private if none of the facilities or traffic is accessible to other groups Involves using leased lines to interconnect routers at various sites of the group The global Internet is public –facilities shared by all subscribers

4 The University of Sydney 4 Hybrid Architecture Permits some traffic to go over private connections Allows contact with global Internet

5 The University of Sydney 5 The Cost Of Private And Public Networks Private network extremely expensive Public Internet access inexpensive Goal: combine safety of private network with low cost of global Internet How can an organization that uses the global Internet to connect its sites keep its data private? Answer: Virtual Private Network (VPN)

6 The University of Sydney 6 Virtual Private Network Connect all sites to global Internet Protect data as it passes from one site to another –Encryption –IP-in-IP tunnelling A VPN sends across the Internet, but encrypts intersite transmissions to guarantee privacy

7 The University of Sydney 7 Example Of VPN Addressing And Routing

8 The University of Sydney 8 Example VPN With Private Addresses Advantage: only one globally valid IP address needed per site

9 The University of Sydney 9 General Access With Private Addresses Question: how to provide multiple computers at the site access to Internet services without assigning each computer a globally-valid IP address? Two answers –Application gateway (one needed for each service) through multi-homed host –Network Address Translation (NAT)

10 The University of Sydney 10 Network Address Translation (NAT) Extension to IP addressing IP-level access to the Internet through a single IP address Transparent to both ends Implementation –Typically software –Usually installed in IP router –Or special-purpose hardware for highest speed

11 The University of Sydney 11 Network Address Translation (NAT) II Pioneered in Unix program slirp Also known as –Masquerade (Linux) –Internet Connection Sharing (Microsoft) Inexpensive implementations available for home use

12 The University of Sydney 12 NAT Details Organization –Obtains one globally valid address per Internet connection –Assigns nonroutable addresses internally (net 10) –Runs NAT software in router connecting to Internet NAT –Replaces source address in outgoing datagram –Replaces destination address in incoming datagram –Also handles higher layer protocols (e.g., pseudo header for TCP or UDP)

13 The University of Sydney 13 NAT Translation Table NAT uses translation table Entry in table specifies local (private) endpoint and global destination Typical paradigm –Entry in table created as side-effect of datagram leaving site –Entry in table used to reverse address mapping for incoming datagram

14 The University of Sydney 14 Example NAT Translation Table Variant of NAT that uses protocol port numbers is known as –Network Address and Port Translation (NAPT)

15 The University of Sydney 15 Higher Layer Protocols And NAT NAT must –Change IP headers –Possibly change TCP or UDP source ports –Recompute TCP or UDP checksums –Translate ICMP messages –Translate port numbers in an FTP session

16 The University of Sydney 16 Applications And NAT NAT affects ICMP, TCP, UDP, and other higher-layer protocols; except for a few standard applications like FTP An application protocol that passes IP addresses or protocol port numbers as data will not operate correctly across NAT –p2p applications are major suffers

17 The University of Sydney 17 VPN Summary Virtual Private Networks (VPNs) combine the advantages of low cost Internet connections with the safety of private networks –VPNs use encryption and tunnelling NAT allows a site to multiplex communication with multiple computers through a single globally valid IP address NAT uses a table to translate addresses in outgoing and incoming datagrams

18 The University of Sydney 18 IPv6 and migration methods NETS3303/3603 Week 7

19 The University of Sydney 19 IPv6 Motivation IPv4 address space 2 32 –About half assigned –Introduction of data access for mobile through 3G/4G and other wireless devices –By 2020, addresses may be exhausted! Clearly, we need a larger address space

20 The University of Sydney 20 IPv6, Background RFC in 1994 Defined over 10 years ago! 128 bits per address (4 x IPv4)! IPv6 address space –has 1024 addresses per square meter of the Earth’s surface!

21 The University of Sydney 21 Major Changes From IPv4 Larger addresses Extended address hierarchy Variable header format –Facilities for many options Provision for protocol extension Support for resource allocation

22 The University of Sydney 22 General Form Of IPv6 Datagram Base header required –40 bytes Extension headers optional

23 The University of Sydney 23 IPv6 Header Fragmentation in extension header! Flow label intended for resource reservation VersionTraffic classFlow label Payload lengthNext headerHop limit Source address Destination address

24 The University of Sydney 24 IPv6 Extension Headers Sender chooses zero or more extension headers Only those facilities that are needed should be included

25 The University of Sydney 25 Parsing An IPv6 Datagram Each header includes NEXT HEADER field –NEXT HEADER operates like type field

26 The University of Sydney 26 IPv6 Fragmentation And Reassembly Like IPv4 –Ultimate destination reassembles Unlike IPv4 –Routers avoid fragmentation –Original source must fragment –If too large, IPv6 router drops packet & sends “Packet Too Big” ICMP error

27 The University of Sydney 27 How Can Original Source Fragment? Option 1: choose minimum guaranteed MTU of 1280 B Option 2: use path MTU discovery

28 The University of Sydney 28 Path MTU Discovery Guessing game! Source sends datagram without fragmenting If router cannot forward, router sends back ICMP error message Source tries smaller MTU What are the consequences of the IPv6 design??

29 The University of Sydney 29 IPv6 Colon Hexadecimal Notation Replaces dotted decimal Example: dotted decimal value Becomes 68E6:8C64:FFFF:FFFF:0:1180:96A:FFFF

30 The University of Sydney 30 Zero Compression Successive zeroes are indicated by a pair of colons Example –FF05:0:0:0:0:0:0:B3 Becomes –FF05::B3

31 The University of Sydney 31 IPv6 Destination Addresses Three types –Unicast (single host receives copy) –Multicast (set of hosts each receive a copy) –Anycast (set of hosts, one of which receives a copy) Note: no broadcast (but special multicast addresses (e.g.,‘‘all hosts on local wire’’)

32 The University of Sydney 32 Backward Compatibility Subset of IPv6 addresses encode IPv4 addresses Dotted hex notation can end with 4 octets in dotted decimal

33 The University of Sydney 33 IPv6 Extension Headers Hop-by-hop Options –Information for routers, e.g. jumbogram length Routing –Source routing list Fragment –Tells end host how to reassemble packets Authentication (for destination host) Encapsulating Security Payload –For destination host, contains keys etc. Destination options (extra options for destination)

34 The University of Sydney 34 IPv6 Hierarchy IPv4 address space completely flat (no geographic dependency) IPv6 semi-hierarchical (compare telephone numbers) –Top level routers have address ranges with regional meaning in routing tables –Next level routers have knowledge of ranges to organisations (corporations, ISPs etc.) –Site level routers have host and network specific routing tables

35 The University of Sydney 35 Address high-level architecture Format prefix at FRONT is variable length Binary prefixreserved address-space-slice reserved /256 unicast 001 1/8 link-local unicast /1024 site-local unicast /1024 multicast /256

36 The University of Sydney 36 IPv4 to v6 Migration Methods dual-stacks, IPv6 and IPv4 Tunnelling transition likely to take a very long time

37 The University of Sydney 37 Tunnelling tunnels: IPv6 internets can tunnel IPv6 packets over IPv4 networks, “short-term” –IPv6 carried as payload in IPv4 datagram among IPv4 routers

38 The University of Sydney 38 Tunnelling A B E F IPv6 tunnel Logical view: Physical view: A B E F IPv6 C D IPv4 Flow: X Src: A Dest: F data Flow: X Src: A Dest: F data Flow: X Src: A Dest: F data Src:B Dest: E Flow: X Src: A Dest: F data Src:B Dest: E A-to-B: IPv6 E-to-F: IPv6 B-to-E: IPv6 inside IPv4 B-to-E: IPv6 inside IPv4

39 The University of Sydney 39 Dual Stack Approach A B E F IPv6 C D IPv4 Flow: X Src: A Dest: F data Flow: ?? Src: A Dest: F data Src:A Dest: F data A-to-B: IPv6 Src:A Dest: F data B-to-C: IPv4 B-to-C: IPv4 B-to-C: IPv6

40 The University of Sydney 40 Summary IETF has defined next version of IP to be IPv6 Addresses are 128 bits long Datagram starts with base header followed by zero or more extension headers Sender performs fragmentation


Download ppt "The University of Sydney 1 PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 NETS3303/3603 Week 7."

Similar presentations


Ads by Google