Presentation is loading. Please wait.

Presentation is loading. Please wait.

© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.

Published byHomer Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe."— Presentation transcript:

1 © MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe a 2-level internet architecture  Private internet connected by public internet/Internet

2 © MMII JW RyderCS 428 Computer Networking2 Private/Hybrid Networks  Major drawback to single level architecture -> lack of privacy  2 levels distinguish between internal and external datagrams  Goal is to keep internal datagrams private while still allowing external communications

3 © MMII JW RyderCS 428 Computer Networking3 Private Networks  Easiest way to guarantee privacy is completely private network aka private network  Use routers to interconnect networks at each site and leased digital circuits to interconnect sites  Since no outside access can use own IP addressing scheme

4 © MMII JW RyderCS 428 Computer Networking4 Hybrid Networks  Gives advantages of both private and and global Internet connectivity  Must use globally valid IP addresses  Connect each site to the Internet  See hybrid architecture in figure 20.1 on page 390

5 © MMII JW RyderCS 428 Computer Networking5 VPN  Chief disadvantage of both private and hybrid networks is high cost  leased lines (T1+) are expensive  Can lower cost by using alternative technologies (frame relay, ATM) or simply connect to the global Internet  Connecting to global Internet could remove privacy

6 © MMII JW RyderCS 428 Computer Networking6 VPN  Big Question - How to keep the privacy but keep Internet connectivity?  Two techniques make VPN possible  Tunneling  Encryption  Define a tunnel across the Internet between a router on one side and a router on the other  Use IP-in-IP encapsulation in tunnel

7 © MMII JW RyderCS 428 Computer Networking7 VPN  See tunnel figure 20.2 on page 391  Entire inner datagram including the IP header is encrypted before being placed as the data in the outer datagram  Describe flow  “A VPN sends data across the Internet, but encrypts intersite transmissions to guarantee privacy” page 392

8 © MMII JW RyderCS 428 Computer Networking8 VPN Addressing  Offers an organization same addressing as private network if hosts do not need Internet connectivity  If hosts need Internet connectivity then hybrid approach can be used  In either case the routers that interface with the Internet always need valid IP addresses  See figure 20.4 on page 393

9 © MMII JW RyderCS 428 Computer Networking9 VPN Addressing  How can a host provide access to the global Internet without assigning each host a valid IP address?  2 general methods  Application Gateways  Network Address Translation

10 © MMII JW RyderCS 428 Computer Networking10 Application Gateways  Offers hosts access to Internet services without offering IP level access  Each site has a multi-homed host with a connection to both the Internet and the private network  MHH runs a set of programs called Application Gateways

11 © MMII JW RyderCS 428 Computer Networking11 Application Gateways  Each AG handles 1 service  Hosts send datagrams to AG on MHH  MHH accesses the service on the Internet  MHH relays responses back to host on private network  Example: E-mail gateway

12 © MMII JW RyderCS 428 Computer Networking12 Application Gateways  Advantage - ability to work without changing underlying structure of private network  Disadvantage - lack of generality  “Each application gateway handles only one specific service; multiple gateways are required for multiple services.”  AGs do NOT solve problem in a general way

13 © MMII JW RyderCS 428 Computer Networking13 NAT  Requires a site to have a single connection to the Internet and one valid IP address G  G assigned to a MHH connected to the Internet that runs NAT software  A computer running NAT software is known as a NAT Box  All datagrams flow through NAT box

14 © MMII JW RyderCS 428 Computer Networking14 NAT  NAT translates both outgoing and incoming addresses  Outgoing  Replace source address with G  Incoming  Replace destination address with private address of host

15 © MMII JW RyderCS 428 Computer Networking15  External view - All datagrams come from and go to the NAT box  Internal view - NAT box appears as a router to the Internet  Chief advantage - Combination of generality and transparency NAT

16 © MMII JW RyderCS 428 Computer Networking16 NAT  More general than AGs - Allows arbitrary internal host to access arbitrary service on a host on the Internet  Transparency - Allows internal host to send and receive datagrams using a private IP address  “NAT technology provides transparent IP-level access to the Internet from a host with a private address.”

17 © MMII JW RyderCS 428 Computer Networking17 NAT Translation  Each entry specifies 2 items  IP address of host on Internet  IP address of host on private network  Example incoming/outgoing  Table must be in place before datagram arrives in from Internet  Why?

18 © MMII JW RyderCS 428 Computer Networking18 NAT Translation  How/When is table initialized  Manual - network administrator  Outgoing Datagrams - sie effect of sending datagrams  Incoming DNS lookup - side effect of DNS lookup  When host on Internet does a DNS lookup of internal host, DNS software creates entry in translation table then answers request by sending G

19 © MMII JW RyderCS 428 Computer Networking19 NAT Translation  Manual  Advantage - IP datagrams in either direction any time  Outgoing  Advantage - Automatic  Disadvantage – Comm. can’t be initialized by outside  Incoming DNS lookups  Requires modifying DNS software  Accommodates initiating communication from outside  Only works if DNS used

20 © MMII JW RyderCS 428 Computer Networking20 NAT  Mot implementations use outgoing method  Example on figure 20.5 on page 396  NAT permits ISP to assign private addresses

21 © MMII JW RyderCS 428 Computer Networking21 Multi-Address NAT  NAT described so far allows a single host on private network to access a single Internet site  What if 2 local hosts want to access single Internet host?  External Address Concurrency

22 © MMII JW RyderCS 428 Computer Networking22  Assign NAT box multiple Gs  Multiple accesses of same Internet host maps different Gs  Still finite number of concurrent accesses Multi-Address NAT

23 © MMII JW RyderCS 428 Computer Networking23 Port-Mapped NAT  Translate TCP or UDP protocol port numbers too  Sometimes known as Network Address Port Translation (NAPT)  Additional table fields  Pair of source/destination protocol port numbers  Protocol port number used by NAT box

24 © MMII JW RyderCS 428 Computer Networking24 Port-Mapped NAT  See figure 20.6 on page 397  10.0.0.5 and 10.0.0.1 have unique source port numbers but this is NOT guaranteed  Maybe they choose same number - application can select it  To avoid - NAT assigns unique port number to each Internet communication

25 © MMII JW RyderCS 428 Computer Networking25 Port-Mapped NAT  TCP 4-tuple to represent IP address and port number  Before sending  (10.0.0.5,21023,128.10.19.20,80)  (10.0.0.1,386,128.10.19.20,80)  After NAPT translation  (G,14003,128.10.19.20,80)  (G,14010,128.10.19.20,80)

26 © MMII JW RyderCS 428 Computer Networking26 Port-Mapped NAT  Advantage - Generality with single valid IP address  Disadvantage - Restricts use to TCP or UDP  “Several variants of NAT exist, including the popular NAPT form that translates protocol port numbers as well as IP addresses.”

27 © MMII JW RyderCS 428 Computer Networking27 NAT and ICMP  “Straight-forward” changes to IP addresses can cause unexpected problems in higher layer protocols  NAT doesn’t forward all ICMP messages arriving from Internet  Example - If routes in NAT box are incorrect, an ICMP redirect message must be handled locally not sent internally to some other host  Before forwarding to internal host NAT translates ICMP message

28 © MMII JW RyderCS 428 Computer Networking28 NAT and ICMP  So, NAT must decide whether ICMP message to be forwarded in or handled locally  ICMP destination unreachable message  IP header returned containing source address but G is in it not internal source

29 © MMII JW RyderCS 428 Computer Networking29  NAT box must first translate address and place it into the ICMP message  ICMP Checksum in now incorrect and one in datagram outer header!!!!  This must now be recomputed NAT and ICMP

30 © MMII JW RyderCS 428 Computer Networking30 NAT and Applications  Pure NAPT doesn’t work with applications that send IP addresses and port numbers as data  FTP - TCP application  One program obtains port number on local machine, converts it to ASCII and sends it to other host to create TCP connection

31 © MMII JW RyderCS 428 Computer Networking31 NAT and Applications  NAPT would need to inspect all data and translate as needed for every application protocol as it is designed!  NAT supports main application protocol such as FTP and Telnet but not all  Certainly not out home grown applications

32 © MMII JW RyderCS 428 Computer Networking32 Summary  VPNs guarantee privacy but are expensive  2 main technologies used to implement VPN  Application Gateways  NAT

Download ppt "© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe."

Similar presentations

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6

PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.

IST 201 Chapter 9. TCP/IP Model Application Transport Internet Network Access.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.

© 2007 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets with Internet Applications, 4e By Douglas.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
COS 420 Day 18. Agenda Assignment 4 Posted Chap 16-20 Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.

COS 420 Day 18. Agenda Assignment 4 Posted Chap Due April 6 Group project program requirements Submitted but Needs lots of work Individual Project.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Subnetting.

Subnetting.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
TCP/IP Protocol Suite 1 Chapter 26 Upon completion you will be able to: Virtual Private Networks and Network Address Translation Understand the difference.

TCP/IP Protocol Suite 1 Chapter 26 Upon completion you will be able to: Virtual Private Networks and Network Address Translation Understand the difference.

Similar presentations

Ads by Google