CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration NAT

CIT 384: Network Administration Slide #1

CIT 384: Network Administration

NAT


Topics

1. IP Address Exhaustion

2. Solutions: CIDR, Reclamation, NAT, IPv6

3. Static NAT

4. Dynamic NAT

5. PAT

6. DHCP


Address ClassesClass A: 0.0.0.0-127.255.255.255

8-bit net ID, 24-bit host ID224 – 2 hosts per network; 126 networks

Class B: 128.0.0.0-191.255.255.25516-bit net ID, 16-bit host ID216 – 2 hosts per network; 16,384 networks

Class C: 192.0.0.0-223.255.255.25524-bit net ID, 8-bit host ID(28 – 2) = 254 hosts per network; 2,097,152 networks

Class D: 224.0.0.0-239.255.255.25528-bit multicast group ID

Class E: 240.0.0.0-255.255.255.255Reserved for future use


Public IP Addresses

ICANN assigns network numbers.– Internet Corporation for Assigned Network

Numbers.– ICANN gives authority to regional orgs, e.g.

ARIN (American Registry for Internet Numbers)– Typically to ISPs, universities, corporations.

ISP assigns IP addresses within network


IPv4 Address Exhaustion

Classful addressing is wasteful– <1% of most class As are in use– Most class Bs aren’t fully used either.– All IP addresses were going to be used by 1990s.

Solutions– CIDR– NAT– IPv6


CIDR

Classless Inter-Domain Routing– Classful routing wastes most IP addresses.– Allocate addresses on bit boundaries instead of

byte boundaries.– Allow ISPs/users to decide on boundaries

instead of basing on IP addresses.

Prefix notation– /x indicates that first x bits are shared.– 192.168.0.0/16 = 192.168.0.0 – 192.168.255.255


IPv4 Address Conservation

Reclaim unused addresses– Some address blocks owned by companies that

are out of business.

Reclaim underused blocks– Take class As away from current owners, and

subdivide with CIDR.– Requires owners to renumber all machines.

Start using class E addresses– Windows TCP/IP stack can’t use class E addrs.


NAT

Network Address Translation– Use RFC1918 private addresses internally.

– Use public IP addresses externally.

– Use router to translate between int + ext IP addresses.

Private IP Networks Network Class Count of Networks

10.0.0.0 A 1

172.16.0.0 through

172.31.0.0

B 16

192.168.0.0 through 192.168.255.0

C 256


IPv4 vs IPv6 Addresses

Feature IPv4 IPv6

Size of Address 32 bits 128 bits

Example Address 10.1.1.1 0000:0000:0000:0000:FFFF:FFFF:0A01:0101

Abbreviated Address

- ::FFFF:FFFF:0A01:0101

Localhost 127.0.0.1 ::1/128

Possible Addresses

232 (~4 billion) 2128 (~3.4 x 1038)


NAT Concepts

Uses public IP addr to represent private IP.– Translates source IP in outgoing packets.– Translates dest IP in incoming packets.– Router keeps table of translations.


Static NAT


Static NAT

Maps one internal IP to one external IP– Need one public IP for each private IP– Does not reduce # of IPv4 addresses needed

Applications– Useful if internal addresses overlap another

organization’s IP addresses.


Cisco NAT Terminology

inside local: IP addresses used on internal network.inside global: public IP addresses that are used to

represent inside local addresses on the outside net.


Cisco NAT Terminology

Inside local: Actual IP address assigned to a host in the private enterprise network.

Inside global: A NAT router changes source IP from inside local to inside global. Inside global addresses can be used for routing on the public network.

Outside global: Actual IP address assigned to a host that resides in the outside network.

Outside local: NAT can also translate outside global addresses to outside local addresses.


Dynamic NAT

Creates one-to-one address mapping– Dynamic mapping on an as-needed basis.

– Mappings expire when not in use.

– Allows many internal hosts to use a small pool of n external addresses, as long as no more than n internal hosts need to access Internet at once.

Applications– IP address conservation.

– Useful if internal addresses overlap another organization’s IP addresses and limited external addresses.


Dynamic NAT


Dynamic NAT

1. Host 10.1.1.1 sends first pkt to 170.1.1.1.

2. Router adds NAT table entry.1. Router checks if NAT is needed or not. Since pkt is

from inside local to inside global, NAT is needed.

2. Router adds entry for inside local 10.1.1.1.

3. NAT router allocates IP from pool.1. Picks first available address (200.1.1.1)

2. Adds this inside global address to table entry.

4. NAT router translates source IP + forwards.


Port Address Translation

Dynamic NAT saves some IP addresses– If 10% of machines use Internet at once, can use a

10:1 ratio of internal to external IP addresses.– DynamicNAT will deny access if too few ext IPs.– What if we could improve that by 216?

Rewrite source ports as well as source IPs.– Source port is random high port for outgoing pkts– Use diff src port for each connection to outside.– NAT table contains connections, not just IPs.


Normal Port Usage


PAT

NAT Table– Maps inside local IP address + port– to outside local IP address + port


Bidirectional NAT


Bidirectional NAT Applications

Translating overlapping IP ranges.– Useful during mergers or bad numbering.

Load balancing– Translate single server IP address to address of one of

many identical servers.

Failover– If server is down, add NAT entry to redirect to

replacement server.

Transparent proxying– Redirect HTTP connections for caching or security

reasons without configuring proxy in browser.


NAT Complications

Checksum recalculation– Changing address field invalidates CRC.– Router recalculates IP + higher layer checksums.– Fragments must be reassembled too.

Layer mixing– Some apps (ftp) send network layer data in

application layer packets (port + IP for ftp.)– NAT must sniff packets to get this information,

then translate app layer data too.


NAT Problems

NAT breaks some applications– Add complexity to router to fix important apps.– Other apps may remain broken.

NAT reduces performance– Especially due to features for special apps.

Breaks end-to-end nature of Internet– All hosts do not have equal access.– Limits ability to run servers and certain apps.


DHCP

Dynamic Host Configuration Protocol– Standard introduced in 1993 with RFC 1531.– Replaced RARP and BOOTP.

Configures network params for clients.– IP address.– Default route.– Server addresses (DNS, NIS, tftp, etc.)– MTU, TTL, etc.


DHCP Conversation

1. Client sends broadcast to discover DHCP svrs.

2. DHCP server broadcasts offer.

3. DHCP client broadcasts request telling server which IP addr it wants.

4. DHCP server acks request, notifying that IP addr reserved.


Address Allocation

Dynamic– Host given “lease” on IP address for a specified

period of time.– Clients can release leases.– Clients can ask for lease to a specific IP addr.

Automatic– Address permanently assigned to client.

Manual– Address selected by the client.


DHCP Security

Unauthorized servers– Any server can respond to DHCP broadcast.– Client typically uses first message received.– Malicious server can control client DNS, routes.

Unauthorized clients– Masquerade MAC address to pretend to be a

legitimate client to learn IP addresses of router and important servers.

DHCP authentication in RFC 3118


References1. Neall Alcott, DHCP for Windows 2000, O’Reilly, 2001.2. James Boney, Cisco IOS in a Nutshell, 2nd edition,

O’Reilly, 2005. 3. Cisco, Cisco Connection Documentation,

http://www.cisco.com/univercd/home/home.htm4. Cisco, Internetworking Basics,

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

5. Matthew Gast, 802.11 Wireless Networks: The Definitive Guide, O’Reilly, 2005.

6. Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007.

http://www.cisco.com/univercd/home/home.htm



Documents

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration NAT