CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration NAT
CIT 384: Network AdministrationSlide #2 Topics 1.IP Address Exhaustion 2.Solutions: CIDR, Reclamation, NAT, IPv6 3.Static NAT 4.Dynamic NAT 5.PAT 6.DHCP
CIT 384: Network AdministrationSlide #3 Address Classes Class A: bit net ID, 24-bit host ID 2 24 – 2 hosts per network; 126 networks Class B: bit net ID, 16-bit host ID 2 16 – 2 hosts per network; 16,384 networks Class C: bit net ID, 8-bit host ID (2 8 – 2) = 254 hosts per network; 2,097,152 networks Class D: bit multicast group ID Class E: Reserved for future use
CIT 384: Network AdministrationSlide #4 Public IP Addresses ICANN assigns network numbers. –Internet Corporation for Assigned Network Numbers. –ICANN gives authority to regional orgs, e.g. ARIN (American Registry for Internet Numbers) –Typically to ISPs, universities, corporations. ISP assigns IP addresses within network
CIT 384: Network AdministrationSlide #5 IPv4 Address Exhaustion Classful addressing is wasteful –<1% of most class As are in use –Most class Bs aren’t fully used either. –All IP addresses were going to be used by 1990s. Solutions –CIDR –NAT –IPv6
CIT 384: Network AdministrationSlide #6 CIDR Classless Inter-Domain Routing –Classful routing wastes most IP addresses. –Allocate addresses on bit boundaries instead of byte boundaries. –Allow ISPs/users to decide on boundaries instead of basing on IP addresses. Prefix notation –/x indicates that first x bits are shared. – /16 = –
CIT 384: Network AdministrationSlide #7 IPv4 Address Conservation Reclaim unused addresses –Some address blocks owned by companies that are out of business. Reclaim underused blocks –Take class As away from current owners, and subdivide with CIDR. –Requires owners to renumber all machines. Start using class E addresses –Windows TCP/IP stack can’t use class E addrs.
CIT 384: Network AdministrationSlide #8 NAT Network Address Translation –Use RFC1918 private addresses internally. –Use public IP addresses externally. –Use router to translate between int + ext IP addresses. Private IP NetworksNetwork ClassCount of Networks A through B through C256
CIT 384: Network AdministrationSlide #9 IPv4 vs IPv6 Addresses FeatureIPv4IPv6 Size of Address32 bits128 bits Example Address :0000:0000: 0000:FFFF:FFFF :0A01:0101 Abbreviated Address -::FFFF:FFFF:0A 01:0101 Localhost ::1/128 Possible Addresses 2 32 (~4 billion)2 128 (~3.4 x )
CIT 384: Network AdministrationSlide #10 NAT Concepts Uses public IP addr to represent private IP. –Translates source IP in outgoing packets. –Translates dest IP in incoming packets. –Router keeps table of translations.
CIT 384: Network AdministrationSlide #11 Static NAT
CIT 384: Network AdministrationSlide #12 Static NAT Maps one internal IP to one external IP –Need one public IP for each private IP –Does not reduce # of IPv4 addresses needed Applications –Useful if internal addresses overlap another organization’s IP addresses.
CIT 384: Network AdministrationSlide #13 Cisco NAT Terminology inside local: IP addresses used on internal network. inside global: public IP addresses that are used to represent inside local addresses on the outside net.
CIT 384: Network AdministrationSlide #14 Cisco NAT Terminology Inside local: Actual IP address assigned to a host in the private enterprise network. Inside global: A NAT router changes source IP from inside local to inside global. Inside global addresses can be used for routing on the public network. Outside global: Actual IP address assigned to a host that resides in the outside network. Outside local: NAT can also translate outside global addresses to outside local addresses.
CIT 384: Network AdministrationSlide #15 Dynamic NAT Creates one-to-one address mapping –Dynamic mapping on an as-needed basis. –Mappings expire when not in use. –Allows many internal hosts to use a small pool of n external addresses, as long as no more than n internal hosts need to access Internet at once. Applications –IP address conservation. –Useful if internal addresses overlap another organization’s IP addresses and limited external addresses.
CIT 384: Network AdministrationSlide #16 Dynamic NAT
CIT 384: Network AdministrationSlide #17 Dynamic NAT 1.Host sends first pkt to Router adds NAT table entry. 1.Router checks if NAT is needed or not. Since pkt is from inside local to inside global, NAT is needed. 2.Router adds entry for inside local NAT router allocates IP from pool. 1.Picks first available address ( ) 2.Adds this inside global address to table entry. 4.NAT router translates source IP + forwards.
CIT 384: Network AdministrationSlide #18 Port Address Translation Dynamic NAT saves some IP addresses –If 10% of machines use Internet at once, can use a 10:1 ratio of internal to external IP addresses. –DynamicNAT will deny access if too few ext IPs. –What if we could improve that by 2 16 ? Rewrite source ports as well as source IPs. –Source port is random high port for outgoing pkts –Use diff src port for each connection to outside. –NAT table contains connections, not just IPs.
CIT 384: Network AdministrationSlide #19 Normal Port Usage
CIT 384: Network AdministrationSlide #20 PAT NAT Table –Maps inside local IP address + port –to outside local IP address + port
CIT 384: Network AdministrationSlide #21 Bidirectional NAT
CIT 384: Network AdministrationSlide #22 Bidirectional NAT Applications Translating overlapping IP ranges. –Useful during mergers or bad numbering. Load balancing –Translate single server IP address to address of one of many identical servers. Failover –If server is down, add NAT entry to redirect to replacement server. Transparent proxying –Redirect HTTP connections for caching or security reasons without configuring proxy in browser.
CIT 384: Network AdministrationSlide #23 NAT Complications Checksum recalculation –Changing address field invalidates CRC. –Router recalculates IP + higher layer checksums. –Fragments must be reassembled too. Layer mixing –Some apps (ftp) send network layer data in application layer packets (port + IP for ftp.) –NAT must sniff packets to get this information, then translate app layer data too.
CIT 384: Network AdministrationSlide #24 NAT Problems NAT breaks some applications –Add complexity to router to fix important apps. –Other apps may remain broken. NAT reduces performance –Especially due to features for special apps. Breaks end-to-end nature of Internet –All hosts do not have equal access. –Limits ability to run servers and certain apps.
CIT 384: Network AdministrationSlide #25 DHCP Dynamic Host Configuration Protocol –Standard introduced in 1993 with RFC –Replaced RARP and BOOTP. Configures network params for clients. –IP address. –Default route. –Server addresses (DNS, NIS, tftp, etc.) –MTU, TTL, etc.
CIT 384: Network AdministrationSlide #26 DHCP Conversation 1.Client sends broadcast to discover DHCP svrs. 2.DHCP server broadcasts offer. 3.DHCP client broadcasts request telling server which IP addr it wants. 4.DHCP server acks request, notifying that IP addr reserved.
CIT 384: Network AdministrationSlide #27 Address Allocation Dynamic –Host given “lease” on IP address for a specified period of time. –Clients can release leases. –Clients can ask for lease to a specific IP addr. Automatic –Address permanently assigned to client. Manual –Address selected by the client.
CIT 384: Network AdministrationSlide #28 DHCP Security Unauthorized servers –Any server can respond to DHCP broadcast. –Client typically uses first message received. –Malicious server can control client DNS, routes. Unauthorized clients –Masquerade MAC address to pretend to be a legitimate client to learn IP addresses of router and important servers. DHCP authentication in RFC 3118
CIT 384: Network AdministrationSlide #29 References 1.Neall Alcott, DHCP for Windows 2000, O’Reilly, James Boney, Cisco IOS in a Nutshell, 2 nd edition, O’Reilly, Cisco, Cisco Connection Documentation, Cisco, Internetworking Basics, c/introint.htm c/introint.htm 5.Matthew Gast, Wireless Networks: The Definitive Guide, O’Reilly, Wendell Odom, CCNA Official Exam Certification Library, 3 rd edition, Cisco Press, 2007.