Download presentation
Presentation is loading. Please wait.
Published byLinette Butler Modified over 9 years ago
1
Private Network Interconnection Chapter 20
2
Introduction Privacy in an internet is a major concern –Contents of datagrams that travel across the Internet may be viewed as they pass across networks owned by other organizations Internal datagrams are those sent between computers within an organization External datagrams are those sent between computers in different organizations –The goal is to keep internal datagrams private, while allowing external communication
3
Private and Hybrid Networks Private Networks –Use routers to connect networks at each site, and leased digital circuits to interconnect the sites –Can use arbitrary IP addresses –Are isolated from the Internet Hybrid Networks –Use valid IP addresses, and sites are connected to the Internet –Assured of privacy when communicating internally –See the leased circuit and connections to the Internet in Figure 20.1 Both are expensive, may lease T1 lines
4
Virtual Private Networks A VPN uses the Internet to connect sites Communication between computers in the VPN is concealed from outsiders –tunneling using IP-in-IP encapsulation –datagrams are encrypted before they are encapsulated outsiders cannot decrypt because they do not have an encryption key
5
VPN Addressing and Routing A VPN routes data through a tunnel –See routing table for R 1 which handles tunneling in Figure 20.3 –Example A computer on network 128.10.2.0 sends a datagram to a computer on network 128.210.0.0 The datagram is forwarded to R 2 which forwards it to R 1 R 1 encrypts the datagram, encapsulates it in the data portion of an outer datagram with destination R 3, and forwards the outer datagram through the local ISP and across the Internet R 3 recognizes the datagram as tunneled from R 1 R 3 decrypts the data area and forwards it to R 4 for delivery
6
A VPN with Private Addresses A VPN offers the same addressing options as a private network –If Internet connectivity is not used, arbitrary IPs can be assigned –If Internet connectivity is used, a hybrid addressing scheme can be used –But when private addressing is used, one valid IP address is needed at each site for tunneling In Figure 20.4, site 1 uses subnet 10.1.0.0/16 and site 2 uses subnet 10.2.0.0/16 Two valid IP addresses are required for connection to Internet
7
A VPN with Private Addresses How can a site provide access to the Internet without assigning each host a valid IP address? –Using an application gateway - each site has a multi- homed host connected to the Internet (IP address) and to the private network (private IP address) This host runs a set of application programs that each handle one service Other hosts at the site send requests to the application gateway which interacts with the Internet
8
Network Address Translation (NAT) Requires a site to have a single connection to the Internet and at least one valid IP address, G –Address G is assigned to a multi-homed computer that connects to the Internet and runs NAT software called a NAT box all datagrams pass through on the way to/from the Internet –NAT translates the addresses in the datagrams by replacing the outgoing source address with G replacing the incoming destination address with its private address
9
NAT Translation Table Creation How does NAT know the destination for an incoming datagram? –NAT maintains a translation table holding the IP address of a host on the Internet and the internal IP address of a host at the site How is the table initialized? –Manually –Outgoing datagrams - set when datagram is sent –Incoming name lookups - set when domain names are requested
10
NAT Translation Table Creation Figure 20.5 shows an ISP that serves dial-up customers –The ISP assigns an IP address to a custome when the customer dials in –NAT allows the ISP to assign private addresses 10.0.0.1, then 10.0.0.2, etc. –When a customer sends a datagram to a destination on the Internet, NAT uses the outoging datagram to initialize its translation table
11
Multi-Address NAT The NAT box can be allowed to hold mutiple Internet addresses –Previously we only allowed a 1-to-1 address mapping At most one computer at the site has access to a given machine on the Internet at any time –This variation is multi-address NAT A NAT box has a set of K valid addresses G 1, G 2, … G k When the first host accesses a destination, G 1 is assigned If another host accesses the same destination, G 2 is assigned… Thus, up to k internal hosts may access a destination at the same time
12
Port-Mapped NAT This variation of NAT translates TCP or UDP port numbers as well as addresses (NAPT) –The table contains the source and destination IP addresses and the source and destination protocol ports –The tables also indicates a port number used by the NAT box as shown in Figure 20.6
13
Interaction Between NAT and ICMP NAT must handle ICMP Example –When ping is used, ICMP sends an echo request and an echo reply –NAT does not forward all ICMP messages from the Internet NAT determines whether the message is to be handled locally or sent to an internal host Before forwarding, NAT translates the ICMP message –ICMP’s destination unreachable is an example
14
Interaction Between NAT and Applications NAT does not work with applications that send IP addresses or protocol ports as data –unless NAT is programmed to recognize the application (like FTP) and make changes in the data –most implementations of NAT only recognize a few standard services
15
Slirp and Masquerade Two implementations of NAT came from UNIX –slirp A computer with a provate address dials in The computer starts PPP and gets access to the Internet –masquerade Can be configured to operate like a router between two networks
16
Summary A VPN allows an organization to use the Internet to connect to multiple sites It uses encryption to guarantee privacy A VPN can be isolated or hybrid To communicate between hosts in different address domains –application gateways act like proxy receiving requests from a host in one domain to another in a different domain –NAT provides access to the Internet from a host with a private address
17
For Next Time Read Chapter 21
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.