Presentation is loading. Please wait.

Presentation is loading. Please wait.

Middleboxes & Network Appliances EE122 TAs Past and Present.

Published byBarbara Carter Modified over 8 years ago

Similar presentations

Presentation on theme: "Middleboxes & Network Appliances EE122 TAs Past and Present."— Presentation transcript:

1 Middleboxes & Network Appliances EE122 TAs Past and Present

2 What is a middlebox? “A middlebox is defined as any intermediary device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and destination host.” [RFC 3234]

3 Is it on the data path? No Why are you even asking this. Yes Is it a router or a switch? Yes No It’s a Middlebox It’s a router or a switch (duh).

4 You are building one of these in Project 3! - Blocks traffic determined to be malicious. -Often based on an “Access Control List” of filters for what is acceptable/unacceptable. -Example: DROP src.port != 80 Example: Firewalls

5 Intermediates connections between multiple clients and external web servers. -Key benefit: Caching -One user accesses New York Times in the morning, after which 100 more access it as well. With a proxy, pay for 1/100 the bandwidth. Example: Proxy

6 Example: Network Address Translator Allows multiple clients using private IP addresses to share a public IP address. -Invented to solve IPv4 Address Exhaustion -Your home network almost certainly uses a NAT.

7 Example: Network Address Translator Private IP Address Ranges: -10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Not publicly routable – reserved for use within a private network only.

8 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal Mr. NAT: 169.229.49.103

9 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal Mr. NAT: 169.229.49.103 Dst: 7.6.5.4 p80 From: 10.0.0.5 p 5678 Dst: 7.6.5.4 p80 From: 10.0.0.5 p 5678

10 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 7.6.5.4 p80 From: 10.0.0.5 p 5678 Dst: 7.6.5.4 p80 From: 10.0.0.5 p 5678

11 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 7.6.5.4 p80 From: 169.229.49.103 p 5678 Dst: 7.6.5.4 p80 From: 169.229.49.103 p 5678

12 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 7.6.5.4 p80 From: 169.229.49.103 p 5678 Dst: 7.6.5.4 p80 From: 169.229.49.103 p 5678 Dst: 169.229.49.103 p 5678 From: 7.6.5.4 p80 Dst: 169.229.49.103 p 5678 From: 7.6.5.4 p80

13 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 10.0.0.5 p 5678 From: 7.6.5.4 p80 Dst: 10.0.0.5 p 5678 From: 7.6.5.4 p80

14 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 10.0.0.5 p 5678 From: 7.6.5.4 p80 Dst: 10.0.0.5 p 5678 From: 7.6.5.4 p80

15 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 Mr. NAT: 169.229.49.103 Dst: 7.6.4.2 p80 Src: 10.0.0.4 p 5678 Dst: 7.6.4.2 p80 Src: 10.0.0.4 p 5678

16 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 10.0.0.4, 56789943 Mr. NAT: 169.229.49.103 Dst: 7.6.4.2 p80 Src: 10.0.0.4 p 5678 Dst: 7.6.4.2 p80 Src: 10.0.0.4 p 5678

17 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 10.0.0.4, 56789943 Mr. NAT: 169.229.49.103 Dst: 7.6.4.2 p80 Src: 169.229.49.103 P 9943 Dst: 7.6.4.2 p80 Src: 169.229.49.103 P 9943

18 Example: Network Address Translator Mr. NAT Mr. Scott: 10.0.0.5 Mr. Panda: 10.0.0.4 Ms. Mittal: 10.0.0.3 InternalExternal 10.0.0.5, 56785678 10.0.0.4, 56789943 Mr. NAT: 169.229.49.103 Dst: 7.6.4.2 p80 Src: 169.229.49.103 P 9943 Dst: 7.6.4.2 p80 Src: 169.229.49.103 P 9943

19 Problems & Answers

20 (1) (a) L7 (b) L3 (Block this IP address), L4 (Block this port), L7 (Block this DNS address) (c) L3 and L4 (IP addresses and Ports)

21 (2) There is no correct answer! People have argued about this for years. Pro: -Some are performance optimizations -Many cannot be implemented at app layer Con: -Unexpected impact at application layer -Often implement redundant behaviors

22 (2) There is no correct answer! People have argued about this for years. Pro: -Some are performance optimizations -Many cannot be implemented at app layer Con: -Unexpected impact at application layer -Often implement redundant behaviors

23 (3) (a) dest addr/port rewritten, checksum recalc'd, delivered to 10.0.0.6:4113 (Mr. Scott) (b) src addr/port rewritten, checksum recalc'd, delivered to 8.5.3.2 (some Internet person)

24 (4) There are only 65336 unique TCP port numbers. If Mr. Scott has 65336 TCP connections open, Ms. Mittal will not be able to open another, and her connection will either reset or time out because the NAT has run out of port numbers to allocate.

25 (5) Mr. Panda’s server is behind a NAT. Because NATs only establish mappings for outgoing connections, Mr. Pandas incoming requests are dropped at the NAT. Mr. Panda could set up his server to send out fake “SYN” packets on port 252. This technique is called “hole-punching.”

26 (6) (a) 100 MB / 5min is 2.7 Mbps (b) 1% of that -> 27Kbps

Download ppt "Middleboxes & Network Appliances EE122 TAs Past and Present."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.

CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of Internet Datagrams.

NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.

Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Network Address Translation (NAT)

Network Address Translation (NAT)
CS 5565 Network Architecture and Protocols

CS 5565 Network Architecture and Protocols
Middleboxes and Tunneling Mike Freedman COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101

Middleboxes and Tunneling Mike Freedman COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

Similar presentations

Ads by Google