Компјутерски Мрежи NAT & ICMP

Transcription

1 Компјутерски Мрежи NAT & ICMP Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc

2 Internet AS Hierarchy Inter-AS border (exterior gateway) routers Intra-AS interior (gateway) routers 2

3 Private Network Private IP network is an IP network that is not directly connected to the Internet IP addresses in a private network can be assigned arbitrarily. Not registered and not guaranteed to be globally unique Generally, private networks use addresses from the following experimental address ranges (non-routable addresses):

4 Private Addresses H1 H2 H3 H Private network Private network 1 R1 Internet R H5 4

5 NATs Network address translation = local, LAN-specific address space translated to small number of globally routable IP addresses Motivation: scarce address space cost: about $9k/year for up to 262,000 addresses prevent home broadband users from running servers at home security: prevent unsolicited inbound requests avoid renumbering if provider changes most small/mid-sized LANs inherit address space from ISP 5

6 Prevalence of NATs Claim: 50% of broadband users are behind NATs All Linksys/D-Link/Netgear home routers are NATs Measurement: for Quake III users, about 17-25% using NAT (May/June 2001) 6

7 NAT types All use net-10/8 (10.*.*.*) or /16 (172.16/12 also available) Address translation Address-and-port translation (NAPT) most common form today, still called NAT one external (global) IP address 7

8 Network Address Translation: Motivation A local network uses just one public IP address as far as outside world is concerned Each device on the local network is assigned a private IP address rest of Internet local network (e.g., home network) / All datagrams leaving local network have same single source NAT IP address: , different source port numbers 8 Datagrams with source or destination in this network have /24 address for source, destination (as usual)

9 Network Address Translation (NAT) NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network NAT is a method that enables hosts on private networks to communicate with hosts on the Internet NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair. 9

10 Network Address Translation: Advantages No need to be allocated range of addresses from ISP: - just one public IP address is used for all devices need a small number of IP addresses can change ISP without changing addresses of devices in local network can change addresses of devices in local network without notifying outside world Devices inside local net not explicitly addressable, visible by outside world (a security plus) 10

11 NAT: Network Address Translation Implementation: NAT router must: outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)... remote clients/servers will respond using (NAT IP address, new port #) as destination addr. remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table 11

12 NAT: Network Address Translation 2: NAT router changes datagram source addr from , 3345 to , 5001, updates table 12 2 NAT translation table WAN side addr LAN side addr , , 3345 S: , 5001 D: , S: , 80 D: , : Reply arrives dest. address: , S: , 3345 D: , 80 1 S: , 80 D: , : host sends datagram to , 80 4: NAT router changes datagram dest addr from , 5001 to , 3345 Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc

13 NAT: Network Address Translation 16-bit port-number field: 60,000 simultaneous connections with a single LAN-side address! NAT is controversial: routers should process up to only layer 3 violates end-to-end argument NAT possibility must be taken into account by app designers, e.g., P2P applications address shortage should instead be solved by having more addresses --- IPv6! 13

14 IPv4 vs. IPv6 ver head. len 16-bit identifier time to live type of service protocol flgs total length fragment offset Internet checksum 32 bit source IP address 32 bit destination IP address Options (if any) data (variable length, typically a TCP or UDP segment) 14

15 Translation Modes Dynamic Translation (IP Masquerading) large number of internal users share a single external address Static Translation a block external addresses are translated to a same size block of internal addresses Load Balancing Translation a single incoming IP address is distributed across a number of internal servers Network Redundancy Translation multiple internet connections are attached to a NAT Firewall that it chooses and uses based on bandwidth, congestion and availability. 15

16 Dynamic Translation (IP Masquerading ) Also called Network Address and Port Translation (NAPT) Individual hosts inside the Firewall are identified based on each connection flowing through the firewall. Since a connection doesn t exist until an internal host requests a connection through the firewall to an external host, and most Firewalls only open ports only for the addressed host only that host can route back into the internal network IP Source routing could route back in; but, most Firewalls block incoming source routed packets NAT only prevents external hosts from making connections to internal hosts. Some protocols won t work; protocols that rely on separate connections back into the local network Theoretical max of 2 16 connections, actual is much less 16

17 IP masquerading 17

18 Static Translation Map a range of external address to the same size block of internal addresses Firewall just does a simple translation of each address Port forwarding - map a specific port to come through the Firewall rather than all ports; useful to expose a specific service on the internal network to the public network 18

19 Load Balancing A firewall that will dynamically map a request to a pool of identical clone machines often done for really busy web sites each clone must have a way to notify the Firewall of its current load so the Firewall can choose a target machine or the firewall just uses a dispatching algorithm like round robin Only works for stateless protocols (like HTTP) 19

20 Load balancing of servers 20

21 Network Redundancy Can be used to provide automatic fail-over of servers or load balancing Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to use based on client load kind of like reverse load balancing a dead ISP will be treated as a fully loaded one and the client will be routed through another ISP 21

22 Problems with NAT NAT causes problems with: protocols that require a separate back-channel protocols that encrypt TCP headers embed TCP address info specifically use original IP for some security reason 22

23 Services that NAT has problems with H.323, CUSeeMe, VDO Live video teleconferencing applications Xing Requires a back channel Rshell used to execute command on remote Unix machine back channel IRC Internet Relay Chat requires a back channel PPTP Peer-to-Peer Tunneling Protocol SQLNet2 Oracle Database Networking Services FTP Must be RFC-1631 compliant to work ICMP sometimes embeds the packed address info in the ICMP message IPSec used for many VPNs IKE Internet Key Exchange Protocol ESP IP Encapsulating Security Payload 23

24 Hacking through NAT Static Translation offers no protection of internal hosts Internal Host Seduction internals go to the hacker attachments Trojan Horse virus peer-to-peer connections hacker run porn and gambling sites solution = application level proxies State Table Timeout Problem hacker could hijack a stale connection before it is timed out very low probability but smart hacker could do it Source Routing through NAT if the hacker knows an internal address they can source route a packet to that host solution is to not allow source routed packets through the firewall 24

25 Concerns about NAT Performance: Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum Modifying port number requires that NAT boxes recalculate TCP checksum Fragmentation Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. 25

26 Concerns about NAT End-to-end connectivity: NAT destroys universal end-to-end reachability of hosts on the Internet. A host in the public Internet often cannot initiate communication to a host in a private network. The problem is worse, when two hosts that are in two different private networks need to communicate with each other. 26

27 Concerns about NAT IP address in application data: Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table. 27

28 NAT and FTP Normal FTP operation 28

29 NAT and FTP NAT device with FTP support 29

30 NAT and FTP FTP in passive mode and NAT. 30

31 Dealing with dual NATs 31

32 ICMP Internet Control Message Protocol Handles special Internet control functions Responsibilities: Reporting unreachable destinations Reporting IP packet header problems Reporting routing problems Reporting echoes (pings) 32

33 ICMP Protocol for error detection and reporting tightly coupled with IP, unreliable ICMP messages delivered in IP packets ICMP functions: Announce network errors Announce network congestion Assist troubleshooting Announce timeouts 33

34 ICMP MSG IP header Source, Destination Address, TTL,... Message type examples: ICMP MSG Message type, Code, Checksum, Data 0 (8) echo request (reply) 3 destination unreachable 4 source quench 11 time exceeded 34 Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc.

35 35 Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc.

36 Specific uses of ICMP Echo request/reply Can be used to check if a host is alive Address mask request/reply Learn the subnet mask Destination unreachable Invalid address and/or port Source quench choke packet TTL expired Routing loops, or too far away 36

37 Ping Uses ICMP echo request/reply Source sends ICMP echo request message to the destination address Echo request packet contains sequence number and timestamp Destination replies with an ICMP echo reply message containing the data in the original echo request message Source can calculate round trip time (RTT) of packets If no echo reply comes back then the destination is unreachable 37

38 Ping (cont d) A R1 R2 R3 B Echo request Time Echo reply 38 Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc.

39 Traceroute Traceroute records the route that packets take A clever use of the TTL field When a router receives a packet, it decrements TTL If TTL=0, it sends an ICMP time exceeded message back to the sender To determine the route, progressively increase TTL Every time an ICMP time exceeded message is received, record the sender s (router s) address Repeat until the destination host is reached or an error message occurs 39

40 Traceroute (cont d) A TTL=1, Dest = B, port = invalid R1 R2 R3 Te = Time exceeded Pu = Port unreachable B Te (R1) TTL=2, Dest = B Time TTL=3, Dest = B Te (R2) Te (R3) TTL=4, Dest = B Pu (B) 40 Riste Stojanov, M.Sc., Aleksandra Bogojeska, M.Sc., Vladimir Zdraveski, B.Sc.