Middleboxes & Network Appliances EE122 TAs Past and Present.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CSC458 Programming Assignment II: NAT Nov 7, 2014.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CS 4700 / CS 5700 Network Fundamentals Lecture 13: Middleboxes and NAT (Duct tape for IPv4) Revised 3/9/2013.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.
Firewalls Screen packets coming into the Privet Networks from external, Untrusted Networks (Internet) Ingress Packet Filtering  Firewall examine incoming.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Network Address Translation (NAT)
CS 5565 Network Architecture and Protocols
Middleboxes and Tunneling Mike Freedman COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Introduction to Network Address Translation
CS 540 Computer Networks II Sandy Wang
Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.
CIS 3360: Internet: Network Layer Introduction Cliff Zou Spring 2012.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Private Network Addresses IP addresses in a private network can be assigned arbitrarily. – Not registered and not guaranteed to be globally unique Generally,
Module 10: How Middleboxes Impact Performance
NAT Network Address Translation. Reading CNI – pp Port Mapping LA – pp NAT.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
CS 5565 Network Architecture and Protocols Godmar Back Lecture 14.
NAT/PAT by S K SATAPATHY
1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.
Networking Components Quick Guide. Hubs Device that splits a network connection into multiple computers Data is transmitted to all devices attached Computers.
K. Salah1 Security Protocols in the Internet IPSec.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj
HIP-Based NAT Traversal in P2P-Environments
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
CS 3700 Networks and Distributed Systems
CS 4700 / CS 5700 Network Fundamentals
CSC458 Programming Assignment II: NAT
Supplementary Material
NAT : Network Address Translation
Network Address Translation
Supplementary Material
Network Address Translation (NAT)
Middleboxes Jennifer Rexford COS 461: Computer Networks
CONNECTING TO THE INTERNET
Network Address Translation
CS 4700 / CS 5700 Network Fundamentals
CS 3700 Networks and Distributed Systems
Network Address Translation (NAT)
Introducing To Networking
NET323 D: Network Protocols
New Solutions For Scaling The Internet Address Space
I. Basic Network Concepts
CS 3700 Networks and Distributed Systems
NET323 D: Network Protocols
Firewalls Routers, Switches, Hubs VPNs
DHCP and NAT.
CS4470 Computer Networking Protocols
Chapter 11: Network Address Translation for IPv4
Request for Comments(RFC) 3489
Network Address Translation (NAT)
DHCP: Dynamic Host Configuration Protocol
Presentation transcript:

Middleboxes & Network Appliances EE122 TAs Past and Present

What is a middlebox? “A middlebox is defined as any intermediary device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and destination host.” [RFC 3234]

Is it on the data path? No Why are you even asking this. Yes Is it a router or a switch? Yes No It’s a Middlebox It’s a router or a switch (duh).

You are building one of these in Project 3! - Blocks traffic determined to be malicious. -Often based on an “Access Control List” of filters for what is acceptable/unacceptable. -Example: DROP src.port != 80 Example: Firewalls

Intermediates connections between multiple clients and external web servers. -Key benefit: Caching -One user accesses New York Times in the morning, after which 100 more access it as well. With a proxy, pay for 1/100 the bandwidth. Example: Proxy

Example: Network Address Translator Allows multiple clients using private IP addresses to share a public IP address. -Invented to solve IPv4 Address Exhaustion -Your home network almost certainly uses a NAT.

Example: Network Address Translator Private IP Address Ranges: /8, /12, /16 Not publicly routable – reserved for use within a private network only.

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal Mr. NAT:

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal Mr. NAT: Dst: p80 From: p 5678 Dst: p80 From: p 5678

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p80 From: p 5678 Dst: p80 From: p 5678

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p80 From: p 5678 Dst: p80 From: p 5678

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p80 From: p 5678 Dst: p80 From: p 5678 Dst: p 5678 From: p80 Dst: p 5678 From: p80

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p 5678 From: p80 Dst: p 5678 From: p80

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p 5678 From: p80 Dst: p 5678 From: p80

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , Mr. NAT: Dst: p80 Src: p 5678 Dst: p80 Src: p 5678

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , , Mr. NAT: Dst: p80 Src: p 5678 Dst: p80 Src: p 5678

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , , Mr. NAT: Dst: p80 Src: P 9943 Dst: p80 Src: P 9943

Example: Network Address Translator Mr. NAT Mr. Scott: Mr. Panda: Ms. Mittal: InternalExternal , , Mr. NAT: Dst: p80 Src: P 9943 Dst: p80 Src: P 9943

Problems & Answers

(1) (a) L7 (b) L3 (Block this IP address), L4 (Block this port), L7 (Block this DNS address) (c) L3 and L4 (IP addresses and Ports)

(2) There is no correct answer! People have argued about this for years. Pro: -Some are performance optimizations -Many cannot be implemented at app layer Con: -Unexpected impact at application layer -Often implement redundant behaviors

(2) There is no correct answer! People have argued about this for years. Pro: -Some are performance optimizations -Many cannot be implemented at app layer Con: -Unexpected impact at application layer -Often implement redundant behaviors

(3) (a) dest addr/port rewritten, checksum recalc'd, delivered to :4113 (Mr. Scott) (b) src addr/port rewritten, checksum recalc'd, delivered to (some Internet person)

(4) There are only unique TCP port numbers. If Mr. Scott has TCP connections open, Ms. Mittal will not be able to open another, and her connection will either reset or time out because the NAT has run out of port numbers to allocate.

(5) Mr. Panda’s server is behind a NAT. Because NATs only establish mappings for outgoing connections, Mr. Pandas incoming requests are dropped at the NAT. Mr. Panda could set up his server to send out fake “SYN” packets on port 252. This technique is called “hole-punching.”

(6) (a) 100 MB / 5min is 2.7 Mbps (b) 1% of that -> 27Kbps

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.