Chapter 4, slide: 1 Chapter 4: Network Layer r Introduction r IP: Internet Protocol IPv4 addressing NAT IPv6 r Routing algorithms Link state Distance Vector r Routing in the Internet RIP OSPF BGP
Sharing an IP address r Home networks, other small LANs r Expensive to have unique IP address for each host r Want to share internet access through just one IP address r Want to maintain security/privacy r Install router … but how does it work? Chapter 4, slide: 2
Network Address Translation r NAT is an extension of the original IP addressing scheme r Motivated by exhaustion of IP address space r Allows multiple computers at one site to share a single global IP address r Requires a device to perform packet translation r In-line configuration All traffic entering or leaving the network must go through the NAT device Should be transparent to all users Virtual private connection Chapter 4, slide: 3
NAT: Network Address Translation r local network uses just one IP address as far as outside world is concerned (external address) r range of addresses not needed from ISP: just one IP address for all devices r can change addresses of devices in local network without notifying outside world r can change ISP / external address without changing addresses of devices in local network r devices inside local net not explicitly addressable by outside world (a security plus). Chapter 4, slide: 4
NAT: Network Address Translation local network (e.g., home network) /24 rest of Internet Datagrams with source or destination in this network have /24 address for source, destination (as usual) All datagrams leaving local network have same single source NAT IP address: , different source port numbers Chapter 4, slide: 5
Implementation r To send datagram out to the internet from a computer in the private network: Computer constructs datagram with source address and destination address, sends to NAT box NAT box translates the source address in the datagram to the site's IP address NAT keeps source and destination addresses in its translation table Note: checksum must be recalculated and datagram must be reconstructed Chapter 4, slide: 6
Implementation r To forward an incoming datagram from the internet to a computer in the private network: Datagrams arrive addressed to the site's IP address NAT finds source and destination addresses in its translation table NAT changes the destination address in the datagram to the internal address for the target computer NAT reconstructs the datagram (with new checksum, etc.) and forwards it to the computer in the private network Chapter 4, slide: 7
Implementation r Software solutions Standard PC with NAT software, e.g.: –Linux masquerade –Windows RRAS (Routing and Remote Access Server) extra NIC required OK for slower speed networks (e.g., 10 Mbps) NAT box must translate addresses in time for the usual network functions to work detecting congestion, etc. r Hardware solutions Special-purpose hardware for high-speed networks (e.g., gigabit Ethernet) r Hybrid solutions Routers can incorporate software for NAT Used in medium-speed networks (e.g., 100 Mbps) Chapter 4, slide: 8
Virtual connection r The effect of NAT is to form a virtual private connection between a computer in a private network and a remote host (internet site). r Of course, the connection may be to a computer in a separate private network (through another NAT box) r Internal communications do not use the NAT box Chapter 4, slide: 9
Problems with basic NAT r If two computers inside the private network both want to communicate with the same external site, the basic translation table is not sufficient r If one computer inside the private network is running applications with two remote hosts, the basic translation table is not sufficient r If a remote site wants to make the first contact with a computer inside the private network, there will be no translation table entry. Chapter 4, slide: 10
NAPT r Network Address and Port Translation Most popular implementation of NAT Usually just called NAT Keeps track of local addresses and IP addresses Also can keep track of (and change) TCP and UDP protocol port numbers Allows multiple computers in the private network to communicate with a single destination multiple applications on a single computer in the private network to communicate with multiple destinations Chapter 4, slide: 11
Example NAPT table r Entry in table records protocol port number as well as IP address r Port numbers are re-assigned to avoid conflicts r Note: this requires the NAT box (router) to have some transport-layer functionality DirectionInitial valueTranslatedUnchanged out IP SRC:TCP SRC :30000 IP SRC:TCP SRC :40001 IP DST:TCP DST :80 out IP SRC:TCP SRC :30000 IP SRC:TCP SRC :40002 IP DST:TCP DST :80 in IP DST:TCP DST :40001 IP DST:TCP DST :30000 IP SRC:TCP SRC :80 in IP DST:TCP DST :40002 IP DST:TCP DST :30000 IP SRC:TCP SRC :80 Chapter 4, slide: 12
NAT table r For an out-going datagram: Source address is changed to the site address. Source port number is re-assigned and recorded Checksum is recalculated Datagram is reconstructed Destination address / port number are not changed Translation table records Internal source address / original port number Destination address / re-assigned source port number Chapter 4, slide: 13
NAT table r For an in-coming datagram: Destination address is changed to the internal address recorded in the translation table. Destination port number is changed to the port number recorded in the translation table. Checksum is recalculated Datagram is reconstructed Source address / port number are not changed Chapter 4, slide: 14
NAT: Network Address Translation S: , 3345 D: , : host sends datagram to , 80 NAT translation table WAN side addr LAN side addr , , 3345 …… S: , 80 D: , S: , 5001 D: , : NAT router changes datagram source addr from , 3345 to , 5001, updates table S: , 80 D: , : Reply arrives dest. address: , : NAT router changes datagram dest addr from , 5001 to , 3345 Chapter 4, slide: 15
First contact r When initial contact is attempted from outside the site, there is no translation table entry E.G., a private network might be running multiple servers through a NAT system Chapter 4, slide: 16
NAT traversal problem r client wants to connect to server with address server address local to LAN (client can’t use it as destination addr) only one externally visible NAT’ed address: NAT router Client ? Chapter 4, slide: 17
NAT traversal problem Solution 1: statically configure NAT to forward incoming connection requests at given port to server e.g., ( , port 2500) always forwarded to port NAT router Client ? Chapter 4, slide: 18
NAT traversal problem Solution 2: Universal PnP Internet Gateway Device (IGD) Protocol. Allows NAT’ed host to: r map (private IP, private port #) with (public IP, public port #) r advertise (public IP, public port #) So DNS can work r add/remove port mappings NAT router IGD Chapter 4, slide: 19
Summary: Network Address Translation r 16-bit port-number field: ~65,000 simultaneous connections with a single LAN-side address! r NAT is controversial. Objections include: routers should only process up to layer 3 address shortage should instead be solved by IPv6 Chapter 4, slide: 20
Chapter 4, slide: 21 Chapter 4: Network Layer r Introduction r Virtual circuit and datagram networks r IP: Internet Protocol IPv4 addressing NAT IPv6 r Routing algorithms Link state Distance Vector r Routing in the Internet RIP OSPF BGP
Chapter 4, slide: 22 IPv6 r Initial motivation: 32-bit address space soon to be completely allocated. r Additional motivation: header changes to facilitate QoS r Major changes from IPv4: Fragmentation: no longer allowed; drop packet if too big Checksum: removed to reduce processing time; already done at transport and link layers Options: allowed, but outside of header, indicated by “Next Header” field
New features of IPv6 r Support for audio and video “flow labels” and “quality of service” allow audio and video applications to establish appropriate connections r Extensible new features can be added more easily Chapter 4, slide: 23
IPv6 datagram format Chapter 4, slide: 24
IPv6 base header format Chapter 4, slide: 25
IPv6 base header r Contains less information than IPv4 header VERSION (4 bits) TRAFFIC CLASS (8 bits) specifies the traffic class (used to choose a route) FLOW LABEL (20 bits) used to associate datagrams belonging to a flow or communication between two applications PAYLOAD LENGTH (16 bits) indicates the length of data (i.e. payload) excluding header NEXT HEADER (8 bits) points to first extension header HOP LIMIT (8 bits)(old TTL) specifies the maximum number of hops a packet can travel through before being discarded SOURCE ADDRESS (128 bits) DESTINATION ADDRESS (128 bits) Chapter 4, slide: 26
NEXT header Chapter 4, slide: 27
Parsing IPv6 headers r Base header is fixed size - 40 octets r NEXT HEADER field in base header defines type of next header Next header appears at end of fixed-size base header r Some extensions headers are variable sized NEXT HEADER field in extension header defines type HEADER LEN field gives size of extension header Chapter 4, slide: 28
Multiple headers r Efficiency header only as large as necessary r Flexibility can add new headers for new features r Incremental development can add processing for new features Chapter 4, slide: 29
Fragmentation and Path MTU r Fragmentation information is in fragmentation extension header r IPv6 source (not intermediate routers) is responsible for fragmentation Source must find path MTU r Routers simply drop datagrams larger than path MTU No more fragmenting by routers ICMP message sent to source r Must be dynamic - path may change during transmission of datagrams r Source determines path MTU Uses path MTU discovery Source sends probe message of various sizes Gets ICMP messages until destination reached Constructs datagrams to fit within that MTU Chapter 4, slide: 30
IPv6 addressing r 128-bit addresses r Includes network prefix and host suffix r No address classes prefix/suffix boundary can fall anywhere Longest matching prefix Chapter 4, slide: 31
Address notation in IPv6 r 128-bit addresses unwieldy in dotted decimal requires 16 numbers example: r IPv6 uses groups of 16-bit numbers in hex separated by colons colon hexadecimal (colon hex) example: 69DC:8864:FFFF:FFFF:0:1280:8C0A:FFFF r Add /bits to specify netmask example: 69DC:8864:FFFF:FFFF:0:1280:8C0A:FFFF/64 Chapter 4, slide: 32
Address shorthand in IPv6 r Zero-compression series of zeroes indicated by two colons example: FF0C:0:0:0:0:0:0:B1 becomes FF0C::B1 r An IPv6 address with 96 leading zeros is interpreted to hold an IPv4 address Chapter 4, slide: 33
Chapter 4, slide: 34 Transition From IPv4 To IPv6 r Can all routers be upgraded simultaneously ?? Answer: it can’t; no “flag days” Analogy: (IP for Internet) ~ (foundation for House) To change the foundation, you need to tear down the house!! r Solution gradually incorporate IPv6 (may take few years) How will the network operate with mixed IPv4 and IPv6 routers? Tunneling??
Chapter 4, slide: 35 Tunneling A B E F IPv6 tunnel Logical view: Physical view: A B E F IPv6 IPv4 What is the problem here? D C Why can’t B just send an IPv4 packet to C ? Flow: X Src: A Dest: F data A-to-B: IPv6 Problem: D won’t be able to send an IPv6 packet to E? Why? Be aware that: IPv6 nodes have both IPv4 & IPv6 addresses Nodes know which nodes are IPv4 and which one are IPv6 (use for e.g. DNS)
Chapter 4, slide: 36 Tunneling A B E F IPv6 tunnel Logical view: Physical view: A B E F IPv6 C D IPv4 Flow: X Src: A Dest: F data A-to-B: IPv6 Flow: X Src: A Dest: F data E-to-F: IPv6 Flow: X Src: A Dest: F data Src:B Dest: E B-to-C: IPv6 inside IPv4 Flow: X Src: A Dest: F data Src:B Dest: E B-to-C: IPv6 inside IPv4 Be aware that: IPv6 nodes have both IPv4 & IPv6 addresses Nodes know which nodes are IPv4 and which one are IPv6 (use for e.g. DNS)