CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.

Slides:



Advertisements
Similar presentations
SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Advertisements

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls and Network Address Translation (NAT) Chapter 7.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
FIREWALLS Chapter 11.
CSE 222a Final Project - UCSD Spring 2007 p2p DNS addressing Presented By- Anup Tapadia Alexander Loukissas Justin Wu.
Security Firewall Firewall design principle. Firewall Characteristics.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
1 Comnet 2010 Communication Networks Recitation 7 Lookups & NAT.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Wi-Fi Structures.
Computer Networks IGCSE ICT Section 4.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
(part 3).  Switches, also known as switching hubs, have become an increasingly important part of our networking today, because when working with hubs,
Networking Components Chad Benedict – LTEC
Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Middleboxes & Network Appliances EE122 TAs Past and Present.
A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.
CS 5565 Network Architecture and Protocols
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
Network Components: Assignment Three
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
CS 540 Computer Networks II Sandy Wang
CIS 3360: Internet: Network Layer Introduction Cliff Zou Spring 2012.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Network Layer Lecture 15 Imran Ahmed University of Management & Technology.
Private Network Addresses IP addresses in a private network can be assigned arbitrarily. – Not registered and not guaranteed to be globally unique Generally,
1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.
CS 5565 Network Architecture and Protocols Godmar Back Lecture 14.
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
Also known as hardware/physi cal address Customer Computer (Client) Internet Service Provider (ISP) MAC Address Each Computer has: Given by NIC card.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Defining Network Infrastructure and Network Security Lesson 8.
CS 3700 Networks and Distributed Systems
CS 4700 / CS 5700 Network Fundamentals
NAT (Network Address Translation)
Supplementary Material
NAT : Network Address Translation
Network Address Translation
Supplementary Material
Network Address Translation (NAT)
Network Address Translation
CS 4700 / CS 5700 Network Fundamentals
Computer Data Security & Privacy
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Introducing To Networking
* Essential Network Security Book Slides.
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Presentation transcript:

CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013

Middleboxes 2  Devices in the network that interact with network traffic from the IP layer and up  Common functions  NAT  Firewall and other security  Proxy  Shaping  Filtering  Caching  … Internet

 NAT  Other middleboxes Outline 3

The IPv4 Shortage 4  Problem: consumer ISPs typically only give one IP address per-household  Additional IPs cost extra  More IPs may not be available  Today’s households have more networked devices than ever  Laptops and desktops  TV, bluray players, game consoles  Tablets, smartphones, eReaders  How to get all these devices online?

Private IP Networks 5  Idea: create a range of private IPs that are separate from the rest of the network  Use the private IPs for internal routing  Use a special router to bridge the LAN and the WAN  Properties of private IPs  Not globally unique  Usually taken from non-routable IP ranges (why?)  Typical private IP ranges  –  –  –

Private Networks 6 Private Network NAT Private Network Internet

Network Address Translation (NAT) 7  NAT allows hosts on a private network to communicate with the Internet  Warning: connectivity is not seamless  Special router at the boundary of a private network  Replaces internal IPs with external IP This is “Network Address Translation”  May also replace TCP/UDP port numbers  Maintains a table of active flows  Outgoing packets initialize a table entry  Incoming packets are rewritten based on the table

Basic NAT Operation 8 Private Network Internet Source: Dest: Source: Dest: Source: Dest: Source: Dest: Private AddressPublic Address : :80

Advantages of NATs 9  Allow multiple hosts to share a single public IP  Allow migration between ISPs  Even if the public IP address changes, you don’t need to reconfigure the machines on the LAN  Load balancing  Forward traffic from a single public IP to multiple private hosts

Natural Firewall 10 Private Network Internet Source: Dest: Private AddressPublic Address Source: Dest:

Concerns About NAT 11  Performance/scalability issues  Per flow state!  Modifying IP and Port numbers means NAT must recompute IP and TCP checksums  Breaks the layered network abstraction  Breaks end-to-end Internet connectivity  *.* addresses are private  Cannot be routed to on the Internet  Problem is worse when both hosts are behind NATs  What about IPs embedded in data payloads?

Port Forwarding 12 Private Network Internet Source: :8679 Dest: : Source: :8679 Dest: :7000 Private AddressPublic Address :7000*.*.*.*:*

Hole Punching 13  Problem: How to enable connectivity through NATs? NAT NAT  Two application-level protocols for hole punching  STUN  TURN

STUN 14  Session Traversal Utilities for NAT  Use a third-party to echo your global IP address  Also used to probe for symmetric NATs/firewalls i.e. are external ports open or closed? STUN Server What is my global IP address? Please echo my IP address Your IP is

Problems With STUN 15  Only useful in certain situations  One peer is behind a symmetric NAT  Both peers are behind partial NATs  Not useful when both peers are fully behind full NATs NAT NAT

TURN 16  Traversal Using Relays around NAT NAT NAT TURN Server : :7000 Please connect to me on :7000

 NAT  Other middleboxes Outline 17

Firewall 18  A device that blocks traffic according to a set of rules  Why?  Services with vulnerabilities turned on by default  ISP policy forbidding certain traffic due to ToS  Typically specified using a 5-tuple  E.g., block outbound SMTP; block inbound SQL server reqs  GFC (Great Firewall of China)  Known to block based on IP, filter DNS requests, etc

Web caching 19  ISP installs cache near network edge that caches copies of Web pages  Why?  Performance: Content is closer to clients, TCP will perform better with lower RTTs  Cost: “free” for the ISP to serve from inside the network  Limitations  Much of today’s content is not static (why does this matter?)  Content ownership  Potential privacy issues  Long tail of content popularity

Web caching 20  ISP installs cache near network edge that caches copies of Web pages  Why?  Performance: Content is closer to clients, TCP will perform better with lower RTTs  Cost: “free” for the ISP to serve from inside the network Interne t foo.htm Not cached foo.htm

Proxying 21  Non-split connections  Like NAT, but IP address is no longer the one assigned to you  Split connections  Middlebox maintains two flows: C-M and M-S  Can be done transparently How? CSM Syn Ack SynAck

Proxying 22  Advantages  RTT is lower on each end  Can use different MTUs  Particularly useful in cell ntwks  Disadvantages  Extra delay can be bad for small flows  Buffering/state makes it potentially costly CSM Syn Ack SynAck

Shaping 23  ISPs are often charged according to 95% model  Internet usage is very “peaky”, e.g., at 5pm, or when House of Cards season 2 is released  To control costs, ISPs such as Rogers shape client traffic  Time-of day  Traffic type  Common implementations  Token Bucket (see next deck)  RSTs Throughput samples 95% Savings over peak

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.