NATs, VPNs, etc

  • View
    221

  • Download
    0

Embed Size (px)

Text of NATs, VPNs, etc

  • 1

    Lecture 14: Translation, tunneling, filtering

    NATs, VPNs, firewalls

    Olof Hagsand KTH CSC

    DD2393/EP2120 p1 2011

  • 2

    LiteratureForouzan Chapter 5.5 - NAT

    Note that NAT figure 5.41 and Table 5.3 can be confusing. Use the figures in the lecture slides instead

    Forouzan Chapter 30.1 Fig 30.14 - VPNsVery limited coverage on VPNs and only in the context of IPSEC

    Forouzan Chapter 30.4 - FirewallsRead a computer security course!

  • 3

    Address translationHow do you translate from one address space to another?

    Network Address Translation (NAT)Private IP Global IP

    Original reason for address translation with NAT was lack of IPv4 address space.

    IPv6 NAT: IPv4 IPv6Mapping between IPv6-only and IPv4 networks.

    'Carrier-grade' NAT NAT in operator networksHow is mapping established?

    Statically configuredOn demand - established from one side which makes duplex communication difficult

    Sequences of address translations (eg two NATs) is difficultNAT traversal techniques required

    Address domain B

    Addressdomain A

    mapping

  • 4

    Network Address Translation (NAT)Internally many hosts with private addresses

    RFC1918 addresses (10/8, 192.168/16,..)One or a small set of global addressA NAT router or switch translates between local/private and global addressesNAT binding most often established dynamically from the inside

    But static mapping is also usedYou also need (UDP/TCP) ports to extend the mapping

    Sometimes called network address port translation (NAPT/PAT)

    Global10.0.0.1 200.24.5.8

    10.0.0.2 10.0.0.410.0.0.3

    NAT

    25.8.2.10

    Private

  • 5

    NAT UDP/TCP example

    src: 10.0.0.2:1400dst: 25.8.2.10:80

    NAT

    NAT binding:10.0.0.2:1400 200.24.5.8:2100

    Private Global

    src: 25.8.2.10:80dst: 10.0.0.2:1400

    src: 200.24.5.8:2100dst: 25.8.2.10:80

    src: 25.8.2.10:80dst: 200.24.5.8:2100

    NAT binding is dynamically established by a connection from the inside, eg a TCP SYN.

  • 6

    NAT exerciseAssume two hosts behind a NAT:

    10.1.1.1 and 10.1.1.2They both start a communication at the same time with TCP to an external server web 2.2.2.2 using port 80.The NAT has an internal address 10.2.2.2 and a (single) global address 3.3.3.3.Show the address/port of the two TCP SYN segments inside and outside the NAT.What is the NAT binding?The server replies with SYN/ACK to both requestsShow the address/port of the two TCP SYN/ACK segments inside and outside the NAT.What would be different if the two SYNs were sent from the same host (eg 10.1.1.1?)

  • 7

    NAT and ICMPICMP does not have ports

    So how can you map ICMP flows from/to different internal hosts?

    You need to make 'tricks' to map the reply to the original requestICMP queries (e.g. Echo) have an identity field (and sequence)

    Some OS:s uses same identity field for all hosts you can only ping one external host from one internal hostYou need to have different identity fields for different hosts to make this work.

    ICMP error messages: The payload of the ICMP carries the header from the datagram that could not be delivered.

  • 8

    NAT ICMP query example

    src: 10.0.0.2ident: 4567dst: 25.8.2.10

    NAT

    NAT binding:10.0.0.2:4567 200.24.5.8:4567

    Private Internet

    src: 25.8.2.10:80ident: 4567dst: 10.0.0.2

    src: 200.24.5.8 ident: 4567dst: 25.8.2.10

    src: 25.8.2.10ident: 4567dst: 200.24.5.8

    NAT binding uses ICMP query identifier and source adressOnly unique if every host uses different identifiers for different external hosts

  • 9

    NAT Header rewriteExample: TCP/IP SYN packet sent from insideThe following colored fields are rewritten:

    source port number destination port number

    TCP checksum urgent pointer

    sequence number

    acknowledgement number

    window sizeflagsreservedheaderlength

    src addr

    dst addr

    header checksumprotocolttl

    fragment fieldsidentification

    total lengthtoshlenversion

    NOTE

  • 10

    NAT address filteringWith just a binding, other peers can use the hole in the NAT opened by an initial communication

    'Hole punching' A NAT may also filter to restrict which external peers can communicate with the internal hostThe idea is that only the destination used for the binding is allowed to use the hole

    This is typically the destination of a connection initiated from the inside

    NAT filtering is not standardized, it varies between NAT boxes this makes NAT traversal difficult

    Some variants are shown in the next slidesWhy is there filtering?

    Mainly for 'security' reasons although NATs should not really be used for security.

  • 11

    Example filtering: 'Full cone' Full cone NAT no filtering

    32.4.5.6 can use the hole opened by the access to 25.8.2.10

    src: 10.0.0.2:1400dst: 32.4.5.6:80

    NAT

    NAT binding:10.0.0.2:1400 200.24.5.8:2100

    Private Global

    src: 32.4.5.6:80dst: 10.0.0.2:1400

    NAT filtering:*:*

    25.8.2.10

    32.4.5.6

  • 12

    Example filtering: 'Symmetric' Symmetric NAT

    32.4.5.6 can not use the entryOnly 25.8.2.10:80 is accepted as source address

    Other filterings: Restricted port/ restricted cone

    NAT

    NAT binding:10.0.0.2:1400 200.24.5.8:2100

    Private Global

    NAT filtering:25.8.2.10:80

    25.8.2.10

    32.4.5.6blocked!

  • 13

    NAT and other applicationsProblem: address and ports numbers may also be present in payload

    FTP and SIP prints the port numbers converted into ASCII in the payload during connection set upIPSEC encrypts datagrams including ports,Etc, etc

    Figure shows an application protocol sends a private address in payload. In the global address space, the private address in the payload is not translated (just the IP/TCP header).So NAT needs to be made application-specific.

    NATPrivate

    NAT binding:10.0.0.2:1400 200.24.5.8:2100

    Global

    Address 10.0.0.100 referenced in payload Private address 10.0.0.100

    referenced in payload10.0.0.100

  • 14

    NAT Traversal techniquesIn order to communicate over NATs in other ways than client/server, protocols affected need to perform NAT traversalWhy would applications need to do that?

    The telephone is peer-to-peer,...Especially low-latency applications (eg Voice over IP)But to some extent also bandwidth-intense applications

    There are several NAT-traversal protocols'STUN' client/server NAT detection and traversal'TURN'NAT-T for IPSECTeredo for IPv6

    Many peer-to-peer applications use special (ad-hoc) techniques to bypass NAT:

    UDP/TCP 'hole punching'Sending 'speculative' packets in both directionsA global third party not behind NATOverloading of well-known ports, eg port 80

  • 15

    Exercise: NAT traversal - UDP hole punching

    Goal is to establish direct UDP flow between 10.1.1.1 and 10.2.2.2 by first establishing a binding to 3.3.3.3Which UDP packets are sent to setup the NAT binding table?What is the states of the NAT binding table?Follow a UDP packet from 10.1.1.1 to 10.2.2.2: how does addresses and ports change as the packet traverses the networks?

    NAT NAT

    Internet

    10.1.1.1 10.2.2.2

    2.2.2.21.1.1.1

    3.3.3.3

    PrivateNetworks

  • 16

    Classification and packet filtering

  • 17

    FirewallsYou want to access the global networkBut you want protection from the outsidePacket filter firewalls are the simplest form of firewallsAlso called ACL - Access Lists in routersMany use NAT for security - but this is not its intended use.More advanced firewalls must be aware of application-level semantics

    This is also referred to as deep inspection (inspect application-layer data)

    untrustedInternet

    trustedIntranet

    Firewall routerwith packet filtering

  • 18

    Classification and filteringBased on packet header (or even payload) classify packets into classes

    Eg, all TCP traffic with dst port 80 and source IP address in 193.12.3.4/24

    Classes may then be handled in different waysDrop, count, measure, priority, shape,

    Stateful inspectionKeep state of every TCP/UDP flow and allow reverse trafficTraffic from inside opens the firewall for incoming traffic dynamicall (cf dynamic NAT binding)

    Example: permit out on eth0 from 77.2.3.0/24 to any proto tcp keep

    state

    permit input on eth0 proto icmp

    deny default

    untrustedInternet

    77.2.3.0/24 eth0

  • 19

    Tunneling

  • 20

    TunnelingExtended encapsulation: 'break' the layering model by iterating over the same (or higher) layerOne IP network then acts as a link in another IP networkTunneling is used in many places

    IPv6 deploymentVPNsMobile IP

    There are many different encapsulationsIP-in-IP, IPv6 in IPv4, IPv4 in IPv6GRE - Generic tunneling protocolEth-in-IP (VPLS, pseudowire)

    PayloadIPHeader

    PayloadIPheader

    Inner Datagram

    Outer Datagram

  • 21

    Issues with tunnelingTTL decrement the TTL once or for complete path?

    This influences debugging and tracerouting A failure in the tunnel may not be able to send ICMP back to the original source (only to tunnel entry)

    MTU (Maximum transmission unit)May cause heavy fragmentationMany backbones therefore have high MTU ('jumbo-frames')

    hdr payloadhdr payloadIP

    hdr payload

  • 22

    Virtual Private Networks

  • 23

    Virtual Private networksYou want to use a global network to communicate between private sub-networksThe cause is primary economic (leased lines are exp