Private Network Interconnection Chapter 20

Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet may be viewed as they pass across networks owned by other organizations Internal datagrams are those sent between computers within an organization External datagrams are those sent between computers in different organizations –The goal is to keep internal datagrams private, while allowing external communication

Private and Hybrid Networks Private Networks –Use routers to connect networks at each site, and leased digital circuits to interconnect the sites –Can use arbitrary IP addresses –Are isolated from the Internet Hybrid Networks –Use valid IP addresses, and sites are connected to the Internet –Assured of privacy when communicating internally –See the leased circuit and connections to the Internet in Figure 20.1 Both are expensive, may lease T1 lines

Virtual Private Networks A VPN uses the Internet to connect sites Communication between computers in the VPN is concealed from outsiders –tunneling using IP-in-IP encapsulation –datagrams are encrypted before they are encapsulated outsiders cannot decrypt because they do not have an encryption key

VPN Addressing and Routing A VPN routes data through a tunnel –See routing table for R 1 which handles tunneling in Figure 20.3 –Example A computer on network sends a datagram to a computer on network The datagram is forwarded to R 2 which forwards it to R 1 R 1 encrypts the datagram, encapsulates it in the data portion of an outer datagram with destination R 3, and forwards the outer datagram through the local ISP and across the Internet R 3 recognizes the datagram as tunneled from R 1 R 3 decrypts the data area and forwards it to R 4 for delivery

A VPN with Private Addresses A VPN offers the same addressing options as a private network –If Internet connectivity is not used, arbitrary IPs can be assigned –If Internet connectivity is used, a hybrid addressing scheme can be used –But when private addressing is used, one valid IP address is needed at each site for tunneling In Figure 20.4, site 1 uses subnet /16 and site 2 uses subnet /16 Two valid IP addresses are required for connection to Internet

A VPN with Private Addresses How can a site provide access to the Internet without assigning each host a valid IP address? –Using an application gateway - each site has a multi- homed host connected to the Internet (IP address) and to the private network (private IP address) This host runs a set of application programs that each handle one service Other hosts at the site send requests to the application gateway which interacts with the Internet

Network Address Translation (NAT) Requires a site to have a single connection to the Internet and at least one valid IP address, G –Address G is assigned to a multi-homed computer that connects to the Internet and runs NAT software called a NAT box all datagrams pass through on the way to/from the Internet –NAT translates the addresses in the datagrams by replacing the outgoing source address with G replacing the incoming destination address with its private address

NAT Translation Table Creation How does NAT know the destination for an incoming datagram? –NAT maintains a translation table holding the IP address of a host on the Internet and the internal IP address of a host at the site How is the table initialized? –Manually –Outgoing datagrams - set when datagram is sent –Incoming name lookups - set when domain names are requested

NAT Translation Table Creation Figure 20.5 shows an ISP that serves dial-up customers –The ISP assigns an IP address to a custome when the customer dials in –NAT allows the ISP to assign private addresses , then , etc. –When a customer sends a datagram to a destination on the Internet, NAT uses the outoging datagram to initialize its translation table

Multi-Address NAT The NAT box can be allowed to hold mutiple Internet addresses –Previously we only allowed a 1-to-1 address mapping At most one computer at the site has access to a given machine on the Internet at any time –This variation is multi-address NAT A NAT box has a set of K valid addresses G 1, G 2, … G k When the first host accesses a destination, G 1 is assigned If another host accesses the same destination, G 2 is assigned… Thus, up to k internal hosts may access a destination at the same time

Port-Mapped NAT This variation of NAT translates TCP or UDP port numbers as well as addresses (NAPT) –The table contains the source and destination IP addresses and the source and destination protocol ports –The tables also indicates a port number used by the NAT box as shown in Figure 20.6

Interaction Between NAT and ICMP NAT must handle ICMP Example –When ping is used, ICMP sends an echo request and an echo reply –NAT does not forward all ICMP messages from the Internet NAT determines whether the message is to be handled locally or sent to an internal host Before forwarding, NAT translates the ICMP message –ICMP’s destination unreachable is an example

Interaction Between NAT and Applications NAT does not work with applications that send IP addresses or protocol ports as data –unless NAT is programmed to recognize the application (like FTP) and make changes in the data –most implementations of NAT only recognize a few standard services

Slirp and Masquerade Two implementations of NAT came from UNIX –slirp A computer with a provate address dials in The computer starts PPP and gets access to the Internet –masquerade Can be configured to operate like a router between two networks

Summary A VPN allows an organization to use the Internet to connect to multiple sites It uses encryption to guarantee privacy A VPN can be isolated or hybrid To communicate between hosts in different address domains –application gateways act like proxy receiving requests from a host in one domain to another in a different domain –NAT provides access to the Internet from a host with a private address

For Next Time Read Chapter 21