private network interconnection

© MMII JW Ryder CS 428 Computer Networking 1

Private Network Interconnection

VPN - Virtual Private Networks NAT - Network Address Translation Describe a 2-level internet architecture

Private internet connected by public internet/Internet


Private/Hybrid Networks Major drawback to single level architecture ->

lack of privacy 2 levels distinguish between internal and

external datagrams Goal is to keep internal datagrams private

while still allowing external communications


Private Networks Easiest way to guarantee privacy is completely

private network aka private network Use routers to interconnect networks at each

site and leased digital circuits to interconnect sites

Since no outside access can use own IP addressing scheme


Hybrid Networks Gives advantages of both private and and

global Internet connectivity Must use globally valid IP addresses Connect each site to the Internet See hybrid architecture in figure 20.1 on page

390


VPN Chief disadvantage of both private and hybrid

networks is high cost leased lines (T1+) are expensive

Can lower cost by using alternative technologies (frame relay, ATM) or simply connect to the global Internet

Connecting to global Internet could remove privacy


VPN

Big Question - How to keep the privacy but keep Internet connectivity?

Two techniques make VPN possible Tunneling Encryption

Define a tunnel across the Internet between a router on one side and a router on the other

Use IP-in-IP encapsulation in tunnel


VPN See tunnel figure 20.2 on page 391 Entire inner datagram including the IP

header is encrypted before being placed as the data in the outer datagram

Describe flow “A VPN sends data across the Internet, but

encrypts intersite transmissions to guarantee privacy” page 392


VPN Addressing Offers an organization same addressing as

private network if hosts do not need Internet connectivity

If hosts need Internet connectivity then hybrid approach can be used

In either case the routers that interface with the Internet always need valid IP addresses

See figure 20.4 on page 393


VPN Addressing How can a host provide access to the global

Internet without assigning each host a valid IP address?

2 general methodsApplication GatewaysNetwork Address Translation


Application Gateways Offers hosts access to Internet services without

offering IP level access Each site has a multi-homed host with a

connection to both the Internet and the private network

MHH runs a set of programs called Application Gateways


Application Gateways Each AG handles 1 service Hosts send datagrams to AG on MHH MHH accesses the service on the Internet MHH relays responses back to host on private

network Example: E-mail gateway


Application Gateways

Advantage - ability to work without changing underlying structure of private network

Disadvantage - lack of generality“Each application gateway handles only one

specific service; multiple gateways are required for multiple services.”

AGs do NOT solve problem in a general way


NAT Requires a site to have a single connection

to the Internet and one valid IP address G G assigned to a MHH connected to the

Internet that runs NAT software A computer running NAT software is

known as a NAT Box All datagrams flow through NAT box


NAT NAT translates both outgoing and incoming

addresses Outgoing

Replace source address with G Incoming

Replace destination address with private address of host


External view - All datagrams come from and go to the NAT box

Internal view - NAT box appears as a router to the Internet

Chief advantage - Combination of generality and transparency

NAT


NAT More general than AGs - Allows arbitrary

internal host to access arbitrary service on a host on the Internet

Transparency - Allows internal host to send and receive datagrams using a private IP address

“NAT technology provides transparent IP-level access to the Internet from a host with a private address.”


NAT Translation Each entry specifies 2 items

IP address of host on Internet IP address of host on private network

Example incoming/outgoing Table must be in place before datagram arrives

in from InternetWhy?


NAT Translation How/When is table initialized

Manual - network administratorOutgoing Datagrams - sie effect of sending

datagrams Incoming DNS lookup - side effect of DNS lookup

When host on Internet does a DNS lookup of internal host, DNS software creates entry in translation table then answers request by sending G


NAT Translation Manual

Advantage - IP datagrams in either direction any time Outgoing

Advantage - Automatic Disadvantage – Comm. can’t be initialized by outside

Incoming DNS lookups Requires modifying DNS software Accommodates initiating communication from outside Only works if DNS used


NAT Mot implementations use outgoing method Example on figure 20.5 on page 396 NAT permits ISP to assign private addresses


Multi-Address NAT NAT described so far allows a single host on

private network to access a single Internet siteWhat if 2 local hosts want to access single Internet

host? External Address Concurrency


Assign NAT box multiple GsMultiple accesses of same Internet host maps

different GsStill finite number of concurrent accesses

Multi-Address NAT


Port-Mapped NAT Translate TCP or UDP protocol port numbers

too Sometimes known as Network Address Port

Translation (NAPT) Additional table fields

Pair of source/destination protocol port numbersProtocol port number used by NAT box


Port-Mapped NAT See figure 20.6 on page 397 10.0.0.5 and 10.0.0.1 have unique source port

numbers but this is NOT guaranteedMaybe they choose same number - application can

select it To avoid - NAT assigns unique port number to

each Internet communication


Port-Mapped NAT TCP 4-tuple to represent IP address and port

number Before sending

(10.0.0.5,21023,128.10.19.20,80) (10.0.0.1,386,128.10.19.20,80)

After NAPT translation (G,14003,128.10.19.20,80) (G,14010,128.10.19.20,80)


Port-Mapped NAT Advantage - Generality with single valid IP

address Disadvantage - Restricts use to TCP or UDP “Several variants of NAT exist, including the

popular NAPT form that translates protocol port numbers as well as IP addresses.”


NAT and ICMP “Straight-forward” changes to IP addresses can cause

unexpected problems in higher layer protocols NAT doesn’t forward all ICMP messages arriving

from Internet Example - If routes in NAT box are incorrect, an

ICMP redirect message must be handled locally not sent internally to some other host

Before forwarding to internal host NAT translates ICMP message


NAT and ICMP So, NAT must decide whether ICMP

message to be forwarded in or handled locally

ICMP destination unreachable message IP header returned containing source

address but G is in it not internal source


NAT box must first translate address and place it into the ICMP message ICMP Checksum in now incorrect and one in

datagram outer header!!!!This must now be recomputed

NAT and ICMP


NAT and Applications Pure NAPT doesn’t work with applications

that send IP addresses and port numbers as data

FTP - TCP application One program obtains port number on local

machine, converts it to ASCII and sends it to other host to create TCP connection


NAT and Applications NAPT would need to inspect all data and

translate as needed for every application protocol as it is designed!

NAT supports main application protocol such as FTP and Telnet but not allCertainly not out home grown applications


Summary VPNs guarantee privacy but are expensive 2 main technologies used to implement VPN

Application GatewaysNAT

private network interconnection

Documents

internet services

computer networkingnatrequires

private networkexample

private networkmhh

internet connectivityif

internal datagrams private

private networkuse routers

ip encapsulation