Upload
jaxson-jay-severns
View
221
Download
4
Embed Size (px)
Citation preview
Problem: IPv4 address shortage
IPv6• There for 6+ years• No deployment• Complicated transition• Little incentives
NAT• Deployed• Breaks end-to-end• Breaks apps• Single point of failure• Not scalable
• Even more deployed
Why are NATs so popular?
• Very easy– No need to replace routers– No need to get more addresses
• Provide address isolation– Easy address planning independent of outside– Provider change does not result in renumbering– Some even think it is security
IPv4+4
• Use existing multiple address realms
NAT
NAT
9.8.7.6
5.4.3.210.0.0.1
10.0.0.1
9.8.7.6.10.0.0.1
5.4.3.2.10.0.0.1
IPv4+4 packetversion hdrlen DS byte total length
identification fragment offsetflags
TTL protocol header checksum
source address
destination address
source address 2
destination address 2
protocol 2 spos dpos header checksum 2
transport header + payload
233
• covers addresses, len & protocol• end-to-end
IPv4+4 routing
RGW
RGW
A
BX
Y
A.X B.Y
X B
A YX B
A Y
A B
X Y
A B
X Y
A Y
X B
• packet routable based on IP header
• private addresses not visible in public realm
• private realm’s addresses not visible in another private realm
ICMP – a problemversion hdrlen DS byte total length
identification fragment offsetflags
TTL protocol header checksum
source address
destination address
source port destination port
sequence number (TCP)/length+checksum (UDP)
ICMP – a problemversion hdrlen DS byte total length
identification fragment offsetflags
TTL protocol header checksum
source address
destination address
source address 2
destination address 2
protocol 2 spos dpos header checksum 2
source port destination port
sequence number (TCP)/length+checksum (UDP)
ICMP – a problemversion hdrlen DS byte total length
identification fragment offsetflags
TTL protocol header checksum
source address
destination address
source address 2
destination address 2
protocol 2 spos dpos header checksum 2
source port destination port
sequence number (TCP)/length+checksum (UDP)
Summary - RGWs
Legacy NAT
• Packet out: swap source
• Packet in: swap destination
• Add 4+4 header to ICMP messages
Stateless, cheap processing
Summary – End hosts
• Generate & understand 4+4 header
• Decide if peer is in the same realm or not
• Obtain 4+4 addresses of peers– DNS– Configuration
• Application support needed
Implementation
• Linux kernel module• Translates IPv4+4 packets and addresses
– 128.59.67.131.192.168.0.2 1.0.0.2
• Mappings are dynamically created– Incoming packet– DNS request
• Packet headers inside ICMP errors• DNS messages also affected
Implementation• Linux kernel module – no kernel patch
• Load/unload any time
KERNEL Module
Applicationsuserland
kernel space
Implementation• Linux kernel module – no kernel patch
• Uses netfilter hooks– Can examine and modify packet– Say a verdict: accept, drop, steal, queue
Applications
Input device Output device
PRE_ROUTING POST_ROUTING
LOCAL_INPUT LOCAL_OUTPUT
FORWARD
Applications
Input device Output device
PRE_ROUTING POST_ROUTING
LOCAL_IN LOCAL_OUT
FORWARD
LOCAL_OUTIf an ICMP error that carry a peer id inside => translateIf destination is a peer id => translate
LOCAL_INIf an ICMP error that carry a 4+4 packet => translateIf v4+4 and addressed to us => translateIf a DNS packet => QUEUE
daemon
QUEUE ACCEPT
Applications
Input device Output device
PRE_ROUTING POST_ROUTING
LOCAL_INPUT LOCAL_OUTPUT
FORWARD
FORWARDING ICMP error carrying 4+4 packet => add IPv4+4 header 4+4 packet => swap source address
PRE_ROUTINGICMP error carrying 4+4 packet => add IPv4+4 header 4+4 packet => swap destination address
DNS
• Each 4+4 address is stored as two “A” RR
• Name prepending is used as with SRV RRs
Hostname: pleione.comet.columbia.edu.
Records: l1.pleione.comet.columbia.edu 128.59.67.131
l2.pleione.comet.columbia.edu 192.168.0.2
IPv4+4 address: 128.59.67.131.192.168.0.2
DNS
Kernel
App
Module
Daemon
Who is a.b.com?
a.b.com doesn’t exist.Who is l1.a.b.com?Who is l2.a.b.com?
l1.a.b.com is 2.3.4.5l2.a.b.com is 6.7.8.9
Mapping: 2.3.4.5.6.7.8.9 1.0.0.2a.b.com is 1.0.0.2
Testbed
aphroditetaygeta
128.59.67.141 128.59.67.131
pleione
192.168.0.2
192.168.0.1
DNS serverWEB serveripv44.comet.columbia.edu
WEB serverpleione.ipv44.comet.columbia.edu
pc11
195.228.209.132
Budapest, Hungary
Comet LabNew York
Experiments
• Applications/protocols– icmp, ssh, scp, telnet, ping, http– arp, snmp, dhcp, routing protocols– ftp, irc
• Network management/configuration– dns, firewall, routing
Performance
• Pentium III, 1 GHz machine• Unloaded• Measured the forwarding time
Applications
Input device Output device
PRE_ROUTING
LOCAL_INPUT LOCAL_OUTPUT
FORWARD POST_ROUTING