9/11/2015home networking1 bob.test have road runner unhappy about reports of constant probes of...
TRANSCRIPT
![Page 1: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/1.jpg)
04/21/23 Home Networking 1
Bob.test
• Have Road Runner• Unhappy about reports of constant probes
of machines• Policy decision
– I want to prevent unauthorized probes/connection attempts on my machines
• Mechanism– Purchase some sort of firewall for my home
network
![Page 2: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/2.jpg)
04/21/23 Home Networking 2
Configuration
Internet Cable Modem Router
Grumpy
Desktops
Reiker
![Page 3: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/3.jpg)
04/21/23 Home Networking 3
Private IP Addresses
• The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (RFC1597):– 10.0.0.0 - 10.255.255.255 (class A)– 172.16.0.0 - 172.31.255.255 (class B)– 192.168.0.0 - 192.168.255.255 (class C)
• These addresses are not routable– Meaning that they will not be routed by an ISP
![Page 4: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/4.jpg)
04/21/23 Home Networking 4
Address Management
Internet Cable Modem Router
Grumpy
Reiker
Desktops
Assigned via DHCP (grumpy)(192.168.0.100 – 192.168.0.200)
192.168.1.254
192.168.1.1
192.168.1.2
Assigned via DHCP (RR)66.67.3.170
![Page 5: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/5.jpg)
04/21/23 Home Networking 5
How Does This Help?
Internet Cable Modem Router
Grumpy
Reiker
Desktops
Assigned via DHCP (grumpy)(192.168.0.100 – 192.168.0.200)
192.168.1.1
192.168.1.2
Because these use private addressescannot be used beyond the router
Can’t get in or out!!!
![Page 6: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/6.jpg)
04/21/23 Home Networking 6
Mystery
• Mouse opens a TCP connection to the CS department’s web server– Grumpy’s address is 192.168.1.1– Destination is 129.21.30.29– The packet arrives at RIT– RIT responds – but 192.168.1.1 is a private
address and will not be routed through the Internet
– How does Grumpy communicate with the outside world?
![Page 7: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/7.jpg)
04/21/23 Home Networking 7
Network Address Translation
• Network Address Translation (NAT) makes this all possible (RFC2663 & RFC2766)– Private traffic for the Internet arrives at the router
(sometimes called a NAT box)– The router changes the source IP address to the “rea
l” IP address– Packet is sent as usual– Reply arrives at router– Now what? How do we know what private address to
route it to?
![Page 8: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/8.jpg)
04/21/23 Home Networking 8
A Little TCP
192.168.1.1:2004
129.21.30.29 :1024
Both endpoints, together, uniquely define a TCP connection (192.168.1.1,2024, 129.21.30.29,1024)
Dest: 129.21.30.29 :1024Src: 192.168.1.1:2024
Dest: 192.168.1.1:2024Src: 129.21.30.29 :1024
![Page 9: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/9.jpg)
04/21/23 Home Networking 9
Address Translation
192.168.1.1:2004
129.21.30.29 :1024
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 66.67.3.170:2024Src: 129.21.30.29:80
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:2024
Dest: 192.168.1.1:2024Src: 129.21.30.29:80
![Page 10: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/10.jpg)
04/21/23 Home Networking 10
How to Route?
• If a NAT box is managing several TCP connections, how does it know who to route incoming packets to?– Key is port numbers
• (IPsrc, Portsrc, IPdest, Portdest)
– Create map• Key (Portsrc, IPdest, Portdest)
• Value (IPsrc)
– Why have Portsrc in the key?
![Page 11: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/11.jpg)
04/21/23 Home Networking 11
Problem
192.168.1.1:2004
129.21.30.29 :80
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 129.21.30.29:80Src: 66.67.3.170:1024
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:1024
Dest: 129.21.30.29:80Src: 192.168.1.2:2024
192.168.1.2:2004
![Page 12: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/12.jpg)
04/21/23 Home Networking 12
NAPT
• Includes port numbers in the translation– Client actually opens connection with NAT
box (thus has unique end points)– NAT box in turn open connection with real
server (again unique end points)– Now when packet arrives from server has
NAT assigned port as destination
• The term NAT is often used in place of NAPT
![Page 13: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/13.jpg)
04/21/23 Home Networking 13
NAPT Translation Table
Private Address
Private Port
External Address
External Port
NAT Port
Protocol Used
192.168.1.1 2024 129.21.30.29 80 14003 TCP
192.1.68.1.2 2024 129.2.1.30.29 80 14004 TCP
![Page 14: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/14.jpg)
04/21/23 Home Networking 14
NAPT Translation
192.168.1.1:2004
129.21.30.29 :80
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 129.21.30.29:80Src: 66.67.3.170:14004
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:14003
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
192.168.1.2:2004
![Page 15: 9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized](https://reader035.vdocuments.mx/reader035/viewer/2022070407/56649e385503460f94b2944c/html5/thumbnails/15.jpg)
04/21/23 Home Networking 15
Common Characteristics
• All flavors of NAT devices should share the following characteristics.– Transparent Address assignment.– Transparent routing through address
translation. (routing here refers to forwarding packets, and not exchanging routing information)
– ICMP error packet payload translation.