PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 1 PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6 NETS3303/3603 Week 7
Expected outcomes Need for VPN How NAT also addressed address shortage 2 Expected outcomes Need for VPN How NAT also addressed address shortage Motivation for IPv6 What’s wrong with IPv4 How does IPv6 address this What else does IPv6 introduce Knowing about issues with transition from v4 to v6
3 Definitions An internet is private if none of the facilities or traffic is accessible to other groups Involves using leased lines to interconnect routers at various sites of the group The global Internet is public facilities shared by all subscribers
4 Hybrid Architecture Permits some traffic to go over private connections Allows contact with global Internet
The Cost Of Private And Public Networks 5 The Cost Of Private And Public Networks Private network extremely expensive Public Internet access inexpensive Goal: combine safety of private network with low cost of global Internet How can an organization that uses the global Internet to connect its sites keep its data private? Answer: Virtual Private Network (VPN)
Virtual Private Network 6 Virtual Private Network Connect all sites to global Internet Protect data as it passes from one site to another Encryption IP-in-IP tunnelling A VPN sends across the Internet, but encrypts intersite transmissions to guarantee privacy
Example Of VPN Addressing And Routing 7 Example Of VPN Addressing And Routing
Example VPN With Private Addresses 8 Example VPN With Private Addresses Advantage: only one globally valid IP address needed per site
General Access With Private Addresses 9 General Access With Private Addresses Question: how to provide multiple computers at the site access to Internet services without assigning each computer a globally-valid IP address? Two answers Application gateway (one needed for each service) through multi-homed host Network Address Translation (NAT)
Network Address Translation (NAT) 10 Network Address Translation (NAT) Extension to IP addressing IP-level access to the Internet through a single IP address Transparent to both ends Implementation Typically software Usually installed in IP router Or special-purpose hardware for highest speed
Network Address Translation (NAT) II 11 Network Address Translation (NAT) II Pioneered in Unix program slirp Also known as Masquerade (Linux) Internet Connection Sharing (Microsoft) Inexpensive implementations available for home use
NAT Details Organization NAT 12 NAT Details Organization Obtains one globally valid address per Internet connection Assigns nonroutable addresses internally (net 10) Runs NAT software in router connecting to Internet NAT Replaces source address in outgoing datagram Replaces destination address in incoming datagram Also handles higher layer protocols (e.g., pseudo header for TCP or UDP)
NAT Translation Table NAT uses translation table 13 NAT Translation Table NAT uses translation table Entry in table specifies local (private) endpoint and global destination Typical paradigm Entry in table created as side-effect of datagram leaving site Entry in table used to reverse address mapping for incoming datagram
Example NAT Translation Table 14 Example NAT Translation Table Variant of NAT that uses protocol port numbers is known as Network Address and Port Translation (NAPT)
Higher Layer Protocols And NAT 15 Higher Layer Protocols And NAT NAT must Change IP headers Possibly change TCP or UDP source ports Recompute TCP or UDP checksums Translate ICMP messages Translate port numbers in an FTP session
16 Applications And NAT NAT affects ICMP, TCP, UDP, and other higher-layer protocols; except for a few standard applications like FTP An application protocol that passes IP addresses or protocol port numbers as data will not operate correctly across NAT p2p applications are major suffers
17 VPN Summary Virtual Private Networks (VPNs) combine the advantages of low cost Internet connections with the safety of private networks VPNs use encryption and tunnelling NAT allows a site to multiplex communication with multiple computers through a single globally valid IP address NAT uses a table to translate addresses in outgoing and incoming datagrams
IPv6 and migration methods 18 IPv6 and migration methods NETS3303/3603 Week 7
IPv6 Motivation IPv4 address space 232 19 IPv6 Motivation IPv4 address space 232 About half assigned Introduction of data access for mobile through 3G/4G and other wireless devices By 2020, addresses may be exhausted! Clearly, we need a larger address space
IPv6, Background RFC in 1994 Defined over 10 years ago! 20 IPv6, Background RFC in 1994 Defined over 10 years ago! 128 bits per address (4 x IPv4)! IPv6 address space 2128 has 1024 addresses per square meter of the Earth’s surface!
Major Changes From IPv4 Larger addresses Extended address hierarchy 21 Major Changes From IPv4 Larger addresses Extended address hierarchy Variable header format Facilities for many options Provision for protocol extension Support for resource allocation
General Form Of IPv6 Datagram 22 General Form Of IPv6 Datagram Base header required 40 bytes Extension headers optional
IPv6 Header Fragmentation in extension header! 23 IPv6 Header 12 31 4 16 24 Version Traffic class Flow label Payload length Next header Hop limit Source address Destination address Fragmentation in extension header! Flow label intended for resource reservation
IPv6 Extension Headers Sender chooses zero or more extension headers 24 IPv6 Extension Headers Sender chooses zero or more extension headers Only those facilities that are needed should be included
Parsing An IPv6 Datagram 25 Parsing An IPv6 Datagram Each header includes NEXT HEADER field NEXT HEADER operates like type field
IPv6 Fragmentation And Reassembly 26 IPv6 Fragmentation And Reassembly Like IPv4 Ultimate destination reassembles Unlike IPv4 Routers avoid fragmentation Original source must fragment If too large, IPv6 router drops packet & sends “Packet Too Big” ICMP error
How Can Original Source Fragment? 27 How Can Original Source Fragment? Option 1: choose minimum guaranteed MTU of 1280 B Option 2: use path MTU discovery
Path MTU Discovery Guessing game! 28 Path MTU Discovery Guessing game! Source sends datagram without fragmenting If router cannot forward, router sends back ICMP error message Source tries smaller MTU What are the consequences of the IPv6 design??
IPv6 Colon Hexadecimal Notation 29 IPv6 Colon Hexadecimal Notation Replaces dotted decimal Example: dotted decimal value 104.230.140.100.255.255.255.255.0.0.17.128.150.10.255.255 Becomes 68E6:8C64:FFFF:FFFF:0:1180:96A:FFFF
Zero Compression Successive zeroes are indicated by a pair of colons 30 Zero Compression Successive zeroes are indicated by a pair of colons Example FF05:0:0:0:0:0:0:B3 Becomes FF05::B3
IPv6 Destination Addresses 31 IPv6 Destination Addresses Three types Unicast (single host receives copy) Multicast (set of hosts each receive a copy) Anycast (set of hosts, one of which receives a copy) Note: no broadcast (but special multicast addresses (e.g.,‘‘all hosts on local wire’’)
Backward Compatibility 32 Backward Compatibility Subset of IPv6 addresses encode IPv4 addresses Dotted hex notation can end with 4 octets in dotted decimal
IPv6 Extension Headers Hop-by-hop Options Routing Fragment 33 IPv6 Extension Headers Hop-by-hop Options Information for routers, e.g. jumbogram length Routing Source routing list Fragment Tells end host how to reassemble packets Authentication (for destination host) Encapsulating Security Payload For destination host, contains keys etc. Destination options (extra options for destination)
34 IPv6 Hierarchy IPv4 address space completely flat (no geographic dependency) IPv6 semi-hierarchical (compare telephone numbers) Top level routers have address ranges with regional meaning in routing tables Next level routers have knowledge of ranges to organisations (corporations, ISPs etc.) Site level routers have host and network specific routing tables
Address high-level architecture 35 Address high-level architecture Format prefix at FRONT is variable length Binary prefix reserved address-space-slice reserved 00000000 1/256 unicast 001 1/8 link-local unicast 1111 1110 10 1/1024 site-local unicast 1111 1110 11 1/1024 multicast 1111 1111 1/256
IPv4 to v6 Migration Methods 36 IPv4 to v6 Migration Methods dual-stacks, IPv6 and IPv4 Tunnelling transition likely to take a very long time
37 Tunnelling tunnels: IPv6 internets can tunnel IPv6 packets over IPv4 networks, “short-term” IPv6 carried as payload in IPv4 datagram among IPv4 routers
Tunnelling A B E F Logical view: A B C D E F Physical view: Src:B 38 Tunnelling A B E F tunnel Logical view: IPv6 IPv6 IPv6 IPv6 A B C D E F Physical view: IPv6 IPv6 IPv4 IPv4 IPv6 IPv6 Flow: X Src: A Dest: F data Flow: X Src: A Dest: F data Src:B Dest: E Flow: X Src: A Dest: F data Src:B Dest: E Flow: X Src: A Dest: F data A-to-B: IPv6 E-to-F: IPv6 B-to-E: IPv6 inside IPv4 B-to-E: IPv6 inside IPv4
Dual Stack Approach A B C D E F IPv6 IPv6 IPv4 IPv4 IPv6 IPv6 A-to-B: 39 Dual Stack Approach A B C D E F IPv6 IPv6 IPv4 IPv4 IPv6 IPv6 Flow: X Src: A Dest: F data Src:A Dest: F data Src:A Dest: F data Flow: ?? Src: A Dest: F data A-to-B: IPv6 B-to-C: IPv4 B-to-C: IPv4 B-to-C: IPv6
Summary IETF has defined next version of IP to be IPv6 40 Summary IETF has defined next version of IP to be IPv6 Addresses are 128 bits long Datagram starts with base header followed by zero or more extension headers Sender performs fragmentation