1. NET0183 Networks and Communications Lectures 21 and 22 Support Protocols: DHCP and NAT 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks Lecture powerpoints from the recommended textbook are by Lami Kaya, LKaya@ieee.org. Lecture powerpoints are © 2009 Pearson Education Inc. Their content has sometimes been edited by Andy Brooks.

2. 8/25/2009 NET0183 Networks and Communications by Dr Andy Brooks 2 The recommended textbook is Computer Networks and Internets by Douglas E. Comer http://www.coursesmart.com/0136066992/?a=1773944 www.pearson-books.com/student (for additional discounts and offers) http://www.coursesmart.com/0136066992/?a=1773944 www.pearson-books.com/student

3. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.3 23.10 Protocol Software, Parameters, and Configuration When a host or router is powered on, the operating system (OS) is started and the protocol software is initialized. For a router, the configuration manager loads a saved configuration which specifies initial values for items such as: –the IP address for each network connection –the protocol software to run –the forwarding table For a host, the configuration process is known as bootstrapping. –A protocol, known as the Bootstrap Protocol (BOOTP), was invented to allow a host to obtain multiple parameters with a single request. –Currently, DHCP is used to take care of most of the configuration.

4. Cisco IOS Wikipedia 6. mars 2010 4 “Cisco IOS (originally Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and current Cisco network switches. (Earlier switches ran CatOS). IOS is a package of routing, switching, internetworking and telecommunications functions tightly integrated with a multitasking operating system. The first IOS was written by William Yeager.Cisco Systemsroutersnetwork switchesCatOSmultitaskingWilliam Yeager Cisco IOS has a characteristic command line interface (CLI), whose style has been widely copied by other networking products.”command line interface NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009

5. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.5 23.11 Dynamic Host Configuration Protocol (DHCP) BOOTP required manual administration. DHCP allows a computer to join a new network and obtain an IP address automatically. –the concept has been termed plug-and-play networking “DHCP allows a computer to move to a new network and obtain configuration information without requiring an administrator to make manual changes to a database.” Douglas E. Comer

6. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.6 23.11 Dynamic Host Configuration Protocol (DHCP) When a computer boots –the client computer broadcasts a DHCP Request –the server sends a DHCP Reply DHCP uses the term offer to denote the message a server sends and we say that the server is offering an address to the client We can configure a DHCP server to supply two types of addresses: –permanently assigned addresses as provided by BOOTP or –a pool of dynamic addresses to be allocated on demand Typically, a permanent address is assigned to a server, and a dynamic address is assigned to an arbitrary host. Addresses assigned on demand are not given out for an arbitrary length of time. A network administrator specifies the lease time for a dynamic IP address.

7. Cisco IOS DHCP Server http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363 7 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009 “Dynamic Host Control Protocol (DHCP) enables you to automatically assign reusable IP addresses to DHCP clients. The Cisco IOS DHCP Server feature is a full DHCP server implementation that assigns and manages IP addresses from specified address pools within the router to DHCP clients. If the Cisco IOS DHCP Server cannot satisfy a DHCP request from its own database, it can forward the request to one or more secondary DHCP servers defined by the network administrator. Figure 1Figure 1 shows the basic steps that occur when a DHCP client requests an IP address from a DHCP server. The client, Host A, sends a DHCPDISCOVER broadcast message to locate a Cisco IOS DHCP Server. A DHCP server offers configuration parameters (such as an IP address, a MAC address, a domain name, and a lease for the IP address) to the client in a DHCPOFFER unicast message.”

8. Cisco IOS DHCP Server http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363 8 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009 Figure 1 DHCP Request for an IP Address from a DHCP Server The DHCPREQUEST is broadcast so that all DHCP servers know which offer the client has accepted. ( A client can receive DHCP offers from multiple DHCP servers.)

9. Cisco IOS DHCP Server http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363 9 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009 “A DHCP client may receive offers from multiple DHCP servers and can accept any one of the offers; however, the client usually accepts the first offer it receives. Additionally, the offer from the DHCP server is not a guarantee that the IP address will be allocated to the client; however, the server usually reserves the address until the client has had a chance to formally request the address.” “The client returns a formal request for the offered IP address to the DHCP server in a DHCPREQUEST broadcast message. The DHCP server confirms that the IP address has been allocated to the client by returning a DHCPACK unicast message to the client.” acknowledgement/staðfesting

10. Cisco IOS DHCP Server http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/Easyip2.html#wp4363 10 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009 “The formal request for the offered IP address (the DHCPREQUEST message) that is sent by the client is broadcast so that all other DHCP servers that received the DHCPDISCOVER broadcast message from the client can reclaim the IP addresses that they offered to the client.” “If the configuration parameters sent to the client in the DHCPOFFER unicast message by the DHCP server are invalid (a misconfiguration error exists), the client returns a DHCPDECLINE broadcast message to the DHCP server.” “The DHCP server will send to the client a DHCPNAK denial broadcast message, which means the offered configuration parameters have not been assigned, if an error has occurred during the negotiation of the parameters or the client has been slow in responding to the DHCPOFFER message (the DHCP server assigned the parameters to another client) of the DHCP server.” A NAK is a negative acknowledgment from DHCP.

11. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.11 23.11 Dynamic Host Configuration Protocol (DHCP) DHCP issues a lease on the address for a finite period. The use of leases allows a DHCP server to reclaim addresses. When the lease expires the DHCP server places the address back in the pool of available addresses. When a lease expires, a host can choose to relinquish the address or renegotiate with DHCP to extend the lease. –Negotiation occurs concurrently with other activity. Normally, DHCP approves each lease extension. –However, a server may be configured to deny lease extension for administrative or technical reasons. For example, if leases were not claimed back each time a student laboratory finishes,after several consecutive laboratories, addresses might run out. DHCP grants absolute control of leasing to a server. If a server denies an extension request, the host must stop using the address.

12. 12 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009 End-users whose computers coordinate with a DHCP server to obtain an IP address normally do not need to worry about their IP address expiring. Note that a client can ask a DHCP server to allocate the previously allocated IP address.

13. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.13 23.12 DHCP Protocol Operation and Optimizations DHCP includes several optimizing features: DHCP is designed to insure that missing or duplicate packets do not result in misconfiguration. –If no response is received a host retransmits its request. –If a duplicate response arrives, a host ignores the extra copy. Once a host finds a DHCP server, the host caches the server's address, making the process of lease renewal efficient. DCHP takes steps to prevent synchronized requests by requiring each host to delay a random amount of time before transmitting a request. –Otherwise synchronized requests could occur if all the computers on a network rebooted at the same time after a power failure.

14. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.14 23.13 DHCP Message Format DHCP is a modified version of the BOOTP message format. Figure 23.8 illustrates the DHCP message format – OP specifies whether the message is a Request (“1”) or a Response (“2”) – HTYPE and HLEN fields specify the network hardware type and the length of a hardware address HYTPE = “1” for 10Mb Ethernet and HLEN = “6” for 10 Mb Ethernet – HOPS specifies how many servers forwarded the request – TRANSACTION IDENTIFIER provides a value that a client can use to determine if an incoming response matches its request – SECONDS ELAPSED specifies how many seconds have elapsed since the host began to boot –FLAGS specifies whether it can receive broadcast or directed replies Except for OPTIONS (OP), each field in a DHCP message has a fixed size.

15. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.15 23.13 DHCP Message Format Figure 23.8 The DHCP message format

16. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.16 23.13 DHCP Message Format Later fields in the message are used in a response to carry information back to the host that sent a request. –If a host does not know its IP address, the server uses field YOUR IP ADDRESS to supply the value. –SERVER IP ADDRESS and SERVER HOST NAME give the host information about the location of a server. – ROUTER IP ADDRESS contains the IP address of a default router. DHCP allows a computer to negotiate to find a boot image. –To do so, the host fills in field BOOT FILE NAME with a request. –The DHCP server does not send an image. BOOT FILE NAME is used to return the name of the file. A host will use a separate protocol to download the image (.eg. TFTP).

17. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.17 23.14 Indirect DHCP Server Access Through a Relay DHCP broadcasts on the local network to find a server. DHCP does not require each individual network to have a DHCP server. –Instead, a DHCP relay agent forwards requests and responses between a client and the DHCP server. At least one relay agent must be present on each network and the relay agent must be configured with the address of the appropriate DHCP server. When the DHCP server responds the relay agent forwards the response to the client. It may seem that using multiple relay agents is no better than using multiple DHCP servers.

18. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.18 23.14 Indirect DHCP Server Access Through a Relay Network managers prefer to manage multiple relay agents for two reasons: First, in a network with one DHCP server and multiple relay agents, administration of addresses is centralized into a single device. –Thus, a network manager does not need to interact with multiple devices to change the lease policy or determine the current status. Second, many commercial routers contain a mechanism that provides DHCP relay service on all the networks to which the router attaches. Relay agent facilities in a router are usually easy to configure and the configuration is unlikely to change.

19. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.19 23.15 Network Address Translation (NAT) The Internet expanded and addresses became scarce, so subnet and classless addressing (CIDR) were introduced to help conserve addresses. Another mechanism was invented that allows multiple computers at a site to share a single, globally valid IP address, known as Network Address Translation (NAT). NAT provides transparent communication. –A host in the Internet always appears to receive communication from a single computer rather than from one of many computers at the site. NAT runs as an in-line service. –It must be placed on the connection between the Internet and the site. Most implementations embed NAT in another device such as a Wi-Fi wireless access point or an Internet router.

20. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.20 23.15 Network Address Translation (NAT) Figure 23.9 The conceptual architecture used with NAT.

21. NAT http://foldoc.org/nat 21 Network Address Translation A technique in which a router or firewall rewrites the source and/or destination Internet addresses in a packet as it passes through, typically to allow multiple hosts to connect to the Internet via a single external IP address. NAT keeps track of outbound connections and distributes incoming packets to the correct machine.routerfirewallInternet addresseshostsInternetIP address NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009

22. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.22 23.16 NAT Operation and Private Addresses The goal of NAT is to provide an illusion. When viewed from the Internet: –the site appears to consist of a single host computer that has been assigned a valid IP address –all datagrams sent from the site appear to originate from one host –and all datagrams sent to the site appear to be sent to one host When viewed from a host in the site the Internet appears to accept and route private addresses. A single IP address cannot be assigned to multiple computers. –If two or more computers use the same address conflicts arise because multiple computers will respond to an ARP “who has this IP address” request.

23. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.23 23.16 NAT Operation and Private Addresses NAT solves the problem by using two types of addresses. –The NAT device itself is assigned a single globally-valid IP address as if the NAT device were a host on the Internet. –Each computer at the site is assigned a unique private address, also known as a nonroutable address. Figure 23.10 (below) lists address blocks that the IETF has designated as private. –/x means x is the number of bits in the routing prefix

24. http://tools.ietf.org/html/rfc1918 24

25. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.25 23.16 NAT Operation and Private Addresses Private addressing is only used inside a site. Before a datagram from the site can be allowed onto the Internet, NAT must translate the private IP into a globally valid IP address. NAT must translate the globally valid IP address in an incoming packet to a private address before transferring a datagram to a host at the site. The basic NAT provides a two-way translation. –the source address translation as a datagram passes from the site to the Internet and –the destination address translation as a datagram passes from the Internet to the site

26. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.26 23.16 NAT Operation and Private Addresses Figure 23.11 Illustration of basic NAT translation that changes the source address of an outgoing datagram and the destination address of an incoming datagram.

27. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.27 23.16 NAT Operation and Private Addresses Most implementations of NAT use a translation table to store the information needed to rewrite addresses. –When a packet is being set out, NAT automatically updates the translation table. Figure 23.12 (below) shows a translation table that corresponds to the address mapping in Figure 23.11.

28. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.28 23.17 Transport-Layer NAT (NAPT) Basic NAT handles situations in which each host at a site communicates with a unique server in the Internet. However, if two hosts at the site attempt to communicate with the same remote server X, –the translation table will contain multiple entries for X –and NAT will not be able to route incoming datagrams Basic NAT also fails when two or more applications running on a given host at a site attempt simultaneous communication with different destinations on the Internet.

29. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.29 23.17 Transport-Layer NAT (NAPT) A variation of NAT, called Network Address and Port Translation (NAPT) avoids such problems. –NAPT allows a site to have arbitrary numbers of applications running on arbitrary hosts, all communicating simultaneously with arbitrary destinations throughout the Internet. –Note that most networking professionals assume the term NAT means NAPT. In addition to a table of source and destination addresses, NAPT uses port numbers to associate each datagram with a TCP or UDP flow. –Applications use protocol port numbers to distinguish between services.

30. 30 http://www.fatpipe.org/~mjb/Drawings/

31. port numbers Transport Layer protocols such as TCP and UDP specify a source and destination port number in their packet headers. – Port numbers are an abstract set of numbers independent of an operating system. Operating systems use process identifiers, job names, or task identifiers to refer to processes. A port number is a 16-bit unsigned integer (0 to 65535). A process associates with a particular port to send and receive data. – The process will listen for incoming packets whose destination port number and IP destination address match that port. – The process will send out packets whose source port number is set to that port. 31 NET0183 Networks and Communications by Dr Andy Brooks 8/25/2009

32. NET0183 Networks and Communications by Dr Andy Brooks 32 Packet delivered to an abstract port number is delivered to the correct process.

33. 33 http://skogberg.eu/ia/img/protocolStack.png Two important protocols in the transport layer are TCP and UDP.

34. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.34 23.17 Transport-Layer NAT (NAPT) Instead of stopping at the IP-layer, NAPT operates on transport-layer headers. NAPT entries contain a 4-tuple of source and destination IP addresses and protocol port numbers. To avoid a conflict when the same port number is used to connect to the same web server, NAPT must choose an alternative TCP source port. –Figure 23.13 (below) shows one possibility.

35. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.35 23.18 NAT and Servers A NAT system builds a translation table automatically by watching outgoing traffic and establishing a new mapping whenever an application at the site initiates communication. Automatic table construction does not work well for communication initiated from the Internet to the site. –For example, if multiple computers at a site each run a web server, the NAT device cannot know which computer should receive an incoming web connection.

36. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.36 23.18 NAT and Servers A variant of NAT called Twice NAT has been created to allow a site to run multiple servers. –“When an application on the Internet looks up the domain name of a computer at the site, the DNS server at the site returns the valid IP address that has been assigned to the NAT device, and also creates a new entry in the NAT translation table.” The translation table is initialized before the first packet arrives. Twice NAT can fail e.g. –when a client application uses the IP address directly without doing a domain name lookup –when the client uses a DNS proxy to resolve domain names

37. proxy server http://en.wikipedia.org/wiki/Proxy_server 7.3.2010 http://en.wikipedia.org/wiki/Proxy_server 37 In computer networks, a proxy server is a server (a computer system or an application program) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly.computer networksserverclientsIP addressprotocolcaches

38. proxy server http://en.wikipedia.org/wiki/Proxy_server 7.3.2010 http://en.wikipedia.org/wiki/Proxy_server to keep machines behind it anonymous (mainly for security) to speed up access to resources (using caching) – web proxies are commonly used to cache web pages from a web server to apply access policy to network services or content – e.g. to block undesired sites to log usage i.e. to provide company employee Internet usage reporting 8/25/2009 NET0183 Networks and Communications by Dr Andy Brooks 38 A proxy server has many potential purposes, including:

39. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.39 23.19 NAT Software and Systems for Use at Home NAT is especially useful at a residence or small business that has a broadband connection –A set of computers can share the connection without requiring the customer to purchase additional IP addresses. NAT software can make a PC act as a NAT device. NAT hardware systems are available at low cost. –Such systems are usually called wireless routers. –The terminology is slightly misleading because such routers also provide wired connections. Figure 23.14 illustrates how such a router is connected.

40. © 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.40 23.19 NAT Software and Systems for Use at Home Figure 23.14 Illustration of the connections for a “wireless” router.