Embed Size (px)
Citation preview
1
Lecture 14: Translation, tunneling, filtering
NATs, VPNs, firewalls
Olof Hagsand KTH CSC
DD2393/EP2120 p1 2011
2
Literature
•Forouzan Chapter 5.5 - NATNote that NAT figure 5.41 and Table 5.3 can be confusing. Use the figures in the lecture slides instead
•Forouzan Chapter 30.1 – Fig 30.14 - VPNsVery limited coverage on VPNs and only in the context of IPSEC
•Forouzan Chapter 30.4 - FirewallsRead a computer security course!
3
Address translation•How do you translate from one address space to another?
Network Address Translation (NAT)
•Private IP <-> Global IP Original reason for address translation with NAT was lack of IPv4 address space.
•IPv6 NAT: IPv4 <-> IPv6Mapping between IPv6-only and IPv4 networks.
•'Carrier-grade' NAT – NAT in operator networks•How is mapping established?
Statically configuredOn demand - established from one side which makes duplex communication difficult
•Sequences of address translations (eg two NATs) is difficultNAT traversal techniques required
Address domain B
Addressdomain A
mapping
4
Network Address Translation (NAT)•Internally many hosts with private addresses
RFC1918 addresses (10/8, 192.168/16,..)
•One or a small set of global address•A NAT router or switch translates between local/private and global addresses•NAT binding most often established dynamically from the inside
But static mapping is also used
•You also need (UDP/TCP) ports to extend the mappingSometimes called network address port translation (NAPT/PAT)
Global10.0.0.1 200.24.5.8
10.0.0.2 10.0.0.410.0.0.3
NAT
25.8.2.10
Private
5
NAT UDP/TCP example
src: 10.0.0.2:1400dst: 25.8.2.10:80
NAT
NAT binding:10.0.0.2:1400 <--> 200.24.5.8:2100
Private Global
src: 25.8.2.10:80dst: 10.0.0.2:1400
src: 200.24.5.8:2100dst: 25.8.2.10:80
src: 25.8.2.10:80dst: 200.24.5.8:2100
•NAT binding is dynamically established by a connection from the inside, eg a TCP SYN.
6
NAT exercise
•Assume two hosts behind a NAT:–10.1.1.1 and 10.1.1.2
•They both start a communication at the same time with TCP to an external server web 2.2.2.2 using port 80.•The NAT has an internal address 10.2.2.2 and a (single) global address 3.3.3.3.•Show the address/port of the two TCP SYN segments inside and outside the NAT.•What is the NAT binding?•The server replies with SYN/ACK to both requests•Show the address/port of the two TCP SYN/ACK segments inside and outside the NAT.•What would be different if the two SYNs were sent from the same host (eg 10.1.1.1?)
7
NAT and ICMP
•ICMP does not have ports– So how can you map ICMP flows from/to different internal hosts?
•You need to make 'tricks' to map the reply to the original request•ICMP queries (e.g. Echo) have an identity field (and sequence)
–Some OS:s uses same identity field for all hosts → you can only ping one external host from one internal host–You need to have different identity fields for different hosts to make this work.
•ICMP error messages: The payload of the ICMP carries the header from the datagram that could not be delivered.
8
NAT ICMP query example
src: 10.0.0.2ident: 4567dst: 25.8.2.10
NAT
NAT binding:10.0.0.2:4567 <--> 200.24.5.8:4567
Private Internet
src: 25.8.2.10:80ident: 4567dst: 10.0.0.2
src: 200.24.5.8 ident: 4567dst: 25.8.2.10
src: 25.8.2.10ident: 4567dst: 200.24.5.8
•NAT binding uses ICMP query identifier and source adress•Only unique if every host uses different identifiers for different external hosts
9
NAT Header rewrite•Example: TCP/IP SYN packet sent from inside•The following colored fields are rewritten:
source port number destination port number
TCP checksum urgent pointer
sequence number
acknowledgement number
window sizeflagsreservedheaderlength
src addr
dst addr
header checksumprotocolttl
fragment fieldsidentification
total lengthtoshlenversion
NOTE
10
NAT address filtering•With just a binding, other peers can use the ”hole” in the NAT opened by an initial communication
–'Hole punching'
•A NAT may also filter – to restrict which external peers can communicate with the internal host
•The idea is that only the destination used for the binding is allowed to use the hole
–This is typically the destination of a connection initiated from the inside
•NAT filtering is not standardized, it varies between NAT boxes – this makes NAT traversal difficult
–Some variants are shown in the next slides
•Why is there filtering?–Mainly for 'security' reasons although NATs should not really be used for security.
11
Example filtering: 'Full cone'
• Full cone NAT– no filtering–32.4.5.6 can use the hole opened by the access to 25.8.2.10
src: 10.0.0.2:1400dst: 32.4.5.6:80
NAT
NAT binding:10.0.0.2:1400 <--> 200.24.5.8:2100
Private Global
src: 32.4.5.6:80dst: 10.0.0.2:1400
NAT filtering:*:*
25.8.2.10
32.4.5.6
12
Example filtering: 'Symmetric'
• Symmetric NAT –32.4.5.6 can not use the entry–Only 25.8.2.10:80 is accepted as source address
• Other filterings: Restricted port/ restricted cone
NAT
NAT binding:10.0.0.2:1400 <--> 200.24.5.8:2100
Private Global
NAT filtering:25.8.2.10:80
25.8.2.10
32.4.5.6blocked!
13
NAT and other applications•Problem: address and ports numbers may also be present in payload
–FTP and SIP prints the port numbers converted into ASCII in the payload during connection set up–IPSEC encrypts datagrams including ports,–Etc, etc
•Figure shows an application protocol sends a private address in payload. •In the global address space, the private address in the payload is not translated (just the IP/TCP header).•So NAT needs to be made application-specific.
NATPrivate
NAT binding:10.0.0.2:1400 <--> 200.24.5.8:2100
Global
Address 10.0.0.100 referenced in payload Private address 10.0.0.100
referenced in payload10.0.0.100
14
NAT Traversal techniques•In order to communicate over NATs in other ways than client/server, protocols affected need to perform NAT traversal•Why would applications need to do that?
–The telephone is peer-to-peer,...–Especially low-latency applications (eg Voice over IP)–But to some extent also bandwidth-intense applications
•There are several NAT-traversal protocols–'STUN' – client/server NAT detection and traversal–'TURN'–NAT-T for IPSEC–Teredo for IPv6
•Many peer-to-peer applications use special (ad-hoc) techniques to bypass NAT:
–UDP/TCP 'hole punching'–Sending 'speculative' packets in both directions–A global third party not behind NAT–Overloading of well-known ports, eg port 80
15
Exercise: NAT traversal - UDP hole punching
•Goal is to establish direct UDP flow between 10.1.1.1 and 10.2.2.2 by first establishing a binding to 3.3.3.3
•Which UDP packets are sent to setup the NAT binding table?•What is the states of the NAT binding table?•Follow a UDP packet from 10.1.1.1 to 10.2.2.2: how does addresses and ports change as the packet traverses the networks?
NAT NAT
Internet
10.1.1.1 10.2.2.2
2.2.2.21.1.1.1
3.3.3.3
PrivateNetworks
16
Classification and packet filtering
17
Firewalls
•You want to access the global network•But you want protection from the outside•Packet filter firewalls are the simplest form of firewalls•Also called ACL - Access Lists in routers•Many use NAT for security - but this is not its intended use.•More advanced firewalls must be aware of application-level semantics
This is also referred to as deep inspection (inspect application-layer data)
untrustedInternet
trustedIntranet
Firewall routerwith packet filtering
18
Classification and filtering•Based on packet header (or even payload) classify packets into classes
–Eg, all TCP traffic with dst port 80 and source IP address in 193.12.3.4/24
•Classes may then be handled in different ways–Drop, count, measure, priority, shape,
•Stateful inspection
–Keep state of every TCP/UDP flow and allow reverse traffic
–Traffic from inside ”opens” the firewall for incoming traffic dynamicall (cf dynamic NAT binding)
•Example:
– permit out on eth0 from 77.2.3.0/24 to any proto tcp keep state
– permit input on eth0 proto icmp
– deny default
untrustedInternet
77.2.3.0/24 eth0
19
Tunneling
20
Tunneling•Extended encapsulation: 'break' the layering model by iterating over the same (or higher) layer•One IP network then acts as a link in another IP network•Tunneling is used in many places
IPv6 deploymentVPNsMobile IP
•There are many different encapsulationsIP-in-IP, IPv6 in IPv4, IPv4 in IPv6GRE - Generic tunneling protocolEth-in-IP (VPLS, pseudowire)
PayloadIPHeader
PayloadIPheader
Inner Datagram
Outer Datagram
21
Issues with tunneling
•TTL – decrement the TTL once or for complete path? –This influences debugging and tracerouting– A failure in the tunnel may not be able to send ICMP back to the original source (only to tunnel entry)
•MTU (Maximum transmission unit)–May cause heavy fragmentation–Many backbones therefore have high MTU ('jumbo-frames')
hdr payloadhdr payloadIP
hdr payload
22
Virtual Private Networks
23
Virtual Private networks
•You want to use a global network to communicate between private sub-networks•The cause is primary economic (leased lines are expensive)•You tunnel traffic between the subnetworks•You may also need to ensure privacy and integrity
GlobalPrivate Private
Private
24
Addressing and security•Public IP networks are public and have only one address domain.•You may want to separate your private traffic from the global traffic (addressing)•You may want to secure your traffic (encryption, authentication)•Provider-based VPNs (peer)
–You trust your provider (no encryption or authentication) –Guarantee resources–Provider adds service – more costly–One provider / set of providers only
•Customer-based VPNs (overlay)–Do it yourself using IPSEC tunneling–Cheap solution–Best effort – no guarantees–You can run over the Internet–Encryption / authentication important
25
Tunneling in VPNs
•Your private datagrams are encapsulated within a global datagram•Privacy: Encrypt inner datagram•Integrity: Ensure data is not changed•Authentication: You can trust it came from the right sender•Tunneling is again used: encrypt/authenticate the inner datagram
PayloadIPHeader
PayloadIPheader
Inner
Outer Global addressing
Private addressing
encryption/authentication
26
VPN simple architecture
IP-network
Point-to-pointtunnels
MainLAN
•Simplest VPNs are point-to-point tunnels to a central site•Tunneling with encryption/authentication is used •Available in several variants on all modern operating systems
27
More advanced VPNs
•More complex VPNs interconnect several network 'islands'•In a static solution, tunnels need to be setup manually
– Full mesh: setup tunnels between all pair of peers– Hub-and-spoke: setup tunnels to a (set of) central sites
•In a dynamic solution tunnels are setup automatically. Sometimes BGP is used for signaling: setting up the tunnels on-demand.
Internet
LAN LAN
LAN
28
VPN on different layers•L3VPN: Interconnects a routed network•L2VPN: Interconnects a switched network•Pseudo-wires: static variant of L2VPN•Virtual Private LAN Services (VPLS): dynamic variant of L2VPN
The figure shows an example of 'full-mesh' L2VPN pseudo-wires. That is, 'virtual' links have been setup between all customer sites. L2 frames (eg Ethernet) are tunneled in IP through the public network.
29
IPSEC VPN•IPSEC can be used for VPNs•A sender and receiver agree on a set of security schemes,
–Security Association (SA) – a cleartext index (SPI)–SA includes: encryption algorithm, keys, lifetime, addresses
•IPsec implemented in the IP header–Part of IP stack, network layer
•IPsec consists of two protocols–Privacy: Encapsulation Security Payload (ESP) –Authentication, etc: Authentication Header (AH)
Internet
Security Association
H2H1 R2R1
30
Encapsulation Security Payload - ESP•ESP encrypts the payload of an IP datagram
–But ESP also has authentication–ESP addresses privacy, but also authentication, etc.
•In tunnel mode, the whole datagram is encrypted•Some ESP header fields:
–SA index, sequence number (may not re-occur), padding
originaldatagram
ESP hdr ESP trailer ESP auth
IP hdr TCP hdr Payload
IP hdr TCP hdr Payload
ESP hdr ESP trailer ESP authIP hdr TCP hdr Payload
transportmode
tunnelmode
IP hdr
New proto: 50
New hdr
encryptedauthenticated
encryptedauthenticated
