Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.

Published byMatthew Cunningham Modified over 9 years ago

Similar presentations

Presentation on theme: "Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao."— Presentation transcript:

1 Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao

2 Announcements Lab 5 is out –Due Thursday, December 3 rd Layered on top of Lab 3 (sr) –Pass a command flag (-nat) to turn on NAT behavior Lab 3 grade = max(lab 3 grade, lab 5 grade)

3 Overview Basic NAT functionality ICMP Requirements TCP Requirements General NAT processing logic Suggestions

4 NAT Network Address Translation Translates private IP addresses to facilitate Internet communication –10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Single device with single IP address –Hides details of internal network –But interferes with many applications

5 “Reverse” NAT myth (you) is behind NAT Distinguish internal (eth0) and external (eth1) by interface name Translate packets from myth (VNS firewall) so that it appears the NAT sent them

6 myth ICMP echo src IP: 171.64.15.11 dst IP: 171.67.236.21 NAT App Server 171.67.236.21171.67.236.23 eth1: 171.67.236.20 eth0: 171.67.236.16 ICMP echo src IP: 171.67.236.20 dst IP: 171.67.236.21 ICMP echo src IP: 171.67.236.20 dst IP: 171.67.236.21

7 myth NAT App Server 171.67.236.21171.67.236.23 eth1: 171.67.236.20 eth0: 171.67.236.16 ICMP echo reply src IP: 171.67.236.21 dst IP: 171.67.236.20 ICMP echo reply src IP: 171.67.236.21 dst IP: 171.64.15.11 ICMP echo reply src IP: 171.67.236.21 dst IP: 171.64.15.11

8 ICMP Requirements Support echo requests/replies Echo requests are external host independent –Using the same query identifier to two different hosts will preserve mapping –If A sends an ICMP request with id q1  q1’ to B and another request with id q1  q2’ to C, then q1’==q2’. Do not timeout ICMP query mappings for at least 60 seconds

9 TCP Requirements 1. Endpoint-Independent Mapping behavior for TCP –Same translation (X1:x1)  (X1’:x1’) for packets destined to any external host –UNSAF: Unilateral Self-Address Fixing mechanism 2. Support all valid sequences of TCP packets - TCP implementations should work 3. Endpoint-Independent Filtering behavior for TCP - Like Endpoint-Independent Mapping, just for accepting inbound packets from external hosts

10 TCP Requirements 4. Don’t respond to inbound SYN for at least 6 seconds. Drop if outbound SYN received, send Port Unreachable otherwise - Used for supporting simultaneous open - Compromise to have this support and signal error for invalid SYN 5. Abandon idle TCP connections after 2 hours 4 minutes - Rationale: Default keep-alive of 2 hours and transitory period (open/close) of 4 minutes - Can drop or send RST packets for non-SYN pkts with no mapping

11 TCP Requirements 6. No port assignment behavior of port overloading for TCP - Disallow different internal endpoints from using the same mapping - This means for (X1:x1)  (X1’:x1’) and (X2:x2)  (X2’:x2’), (X1’:x1’) != (X2’:x2’) 7. Support hairpinning for TCP of type “External source IP address and port” - Rewrite source IP and port when receiving packet from internal host with a mapping

12 Hairpinning NAT myth X:x Y:y eth1: 171.67.236.20 eth0: 171.67.236.16 src IP, port - X:x dst IP, port – Y’:y’ Mapping Y:y  Y’:y’ X:x  X’:x’ src IP, port – X’:x’ dst IP, port – Y:y

13 General Logic Check whether packet is inbound or outbound Determine if it is ICMP or TCP If outbound, add a globally unique mapping If inbound, check for existing mapping. –If none, discard (unless TCP SYN or hairpinning)

14 General Logic Rewrite IP src/dst –Don’t forget to recompute checksum Rewrite ICMP identifier/TCP port –Recompute checksum again –TCP checksum covers pseudoheader and payload Reuse router logic to determine how to forward packet Don’t worry about UDP

15 Threads Spawn a thread to handle timing out NAT entries –Similar to ARP cache Synchronize access to shared data –NAT mappings –Locks Create thread in sr_router.c –Takes a pointer to a C routine. This is where you implement timeout logic. Can rely on main program exit to terminate thread

16 Data Structures Need to store NAT mappings –Linked list is fine, O(n) traversal –Keep a time field to remember when a mapping was last used Need to remember used ICMP identifiers and used port numbers –Separate structures for identifier and port number

17 Implementation Suggestions Implement NAT code in separate files (e.g. sr_nat.h, sr_nat.c) –Don’t forget to update the Makefile Handle command line flags in sr_main.c –http://www.gnu.org/software/hello/manual/libc/ Getopt.html#Getopthttp://www.gnu.org/software/hello/manual/libc/ Getopt.html#Getopt Create necessary NAT data structures in sr_instance (sr_router.h) –Initialize in sr_router.c

18 Other Suggestions Work on ICMP first and then TCP –Note that ARP is unchanged Save logfile (-l logfile to./sr) and examine packet flow in Wireshark/tcpdump Start early – report VNS issues to staff list and VNS admin (dgu@cs.stanford.edu)

19 Upcoming Updates Reference binary for comparison –Will be released next week, accessible from /usr/class/cs144/bin New topology for testing –Most likely will be nested NATs Web server will likely be updated to show observed IP address/port on home page

20 Questions?

Download ppt "Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao."

Similar presentations

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.
Firewalls and Network Address Translation (NAT) Chapter 7.

Firewalls and Network Address Translation (NAT) Chapter 7.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
Router Implementation Project-2

Router Implementation Project-2
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.
Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Lab 4: Simple Router CS144 Lab 4 Screencast May 2, 2008 Ben Nham Based on slides by Clay Collier and Martin Casado.

Lab 4: Simple Router CS144 Lab 4 Screencast May 2, 2008 Ben Nham Based on slides by Clay Collier and Martin Casado.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.

Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
Subnetting.

Subnetting.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.

1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray

Similar presentations

Ads by Google