Private Network Interconnection

Chapter 20

Introduction

• Privacy in an internet is a major concern– Contents of datagrams that travel across the Internet

may be viewed as they pass across networks owned by other organizations

• Internal datagrams are those sent between computers within an organization

• External datagrams are those sent between computers in

different organizations

– The goal is to keep internal datagrams private, while allowing external communication

Private and Hybrid Networks

• Private Networks– Use routers to connect networks at each site, and leased digital

circuits to interconnect the sites

– Can use arbitrary IP addresses

– Are isolated from the Internet

• Hybrid Networks– Use valid IP addresses , and sites are connected to the Internet

– Assured of privacy when communicating internally

– See the leased circuit and connections to the Internet in Figure 20.1

• Both are expensive, may lease T1 lines

Virtual Private Networks

• A VPN uses the Internet to connect sites• Communication between computers in the VPN is

concealed from outsiders– tunneling using IP-in-IP encapsulation

– datagrams are encrypted before they are encapsulated• outsiders cannot decrypt because they do not have an

encryption key

VPN Addressing and Routing

• A VPN routes data through a tunnel– See routing table for R1 which handles tunneling in Figure 20.3

– Example• A computer on network 128.10.2.0 sends a datagram to a computer on

network 128.210.0.0

• The datagram is forwarded to R2 which forwards it to R1

• R1 encrypts the datagram, encapsulates it in the data portion of an outer datagram with destination R3, and forwards the outer datagram through the local ISP and across the Internet

• R3 recognizes the datagram as tunneled from R1

• R3 decrypts the data area and forwards it to R4 for delivery

A VPN with Private Addresses

• A VPN offers the same addressing options as a private network– If Internet connectivity is not used, arbitrary IPs can be

assigned

– If Internet connectivity is used, a hybrid addressing scheme can be used

– But when private addressing is used, one valid IP address is needed at each site for tunneling

• In Figure 20.4, site 1 uses subnet 10.1.0.0/16 and site 2 uses subnet 10.2.0.0/16

• Two valid IP addresses are required for connection to Internet

A VPN with Private Addresses

• How can a site provide access to the Internet without assigning each host a valid IP address?– Using an application gateway - each site has a multi-

homed host connected to the Internet (IP address) and to the private network (private IP address)

• This host runs a set of application programs that each handle one service

• Other hosts at the site send requests to the application gateway which interacts with the Internet

Network Address Translation (NAT)• Requires a site to have a single connection to the

Internet and at least one valid IP address, G– Address G is assigned to a multi-homed computer that

connects to the Internet and runs NAT software • called a NAT box• all datagrams pass through on the way to/from the Internet

– NAT translates the addresses in the datagrams by • replacing the outgoing source address with G• replacing the incoming destination address with its private

address

NAT Translation Table Creation

• How does NAT know the destination for an incoming datagram?– NAT maintains a translation table holding the IP address

of a host on the Internet and the internal IP address of a host at the site

• How is the table initialized?– Manually

– Outgoing datagrams - set when datagram is sent

– Incoming name lookups - set when domain names are requested

NAT Translation Table Creation

• Figure 20.5 shows an ISP that serves dial-up customers– The ISP assigns an IP address to a custome when the

customer dials in

– NAT allows the ISP to assign private addresses• 10.0.0.1, then 10.0.0.2, etc.

– When a customer sends a datagram to a destination on the Internet, NAT uses the outoging datagram to initialize its translation table

Multi-Address NAT

• The NAT box can be allowed to hold mutiple Internet addresses– Previously we only allowed a 1-to-1 address mapping

• At most one computer at the site has access to a given machine on the Internet at any time

– This variation is multi-address NAT• A NAT box has a set of K valid addresses G1, G2, … Gk

• When the first host accesses a destination, G1 is assigned

• If another host accesses the same destination, G2 is assigned…

• Thus, up to k internal hosts may access a destination at the same time

Port-Mapped NAT

• This variation of NAT translates TCP or UDP port numbers as well as addresses (NAPT)– The table contains the source and destination IP

addresses and the source and destination protocol ports

– The tables also indicates a port number used by the NAT box as shown in Figure 20.6

Interaction Between NAT and ICMP• NAT must handle ICMP• Example

– When ping is used, ICMP sends an echo request and an echo reply

– NAT does not forward all ICMP messages from the Internet

• NAT determines whether the message is to be handled locally or sent to an internal host

• Before forwarding, NAT translates the ICMP message

– ICMP’s destination unreachable is an example

Interaction Between NAT and Applications• NAT does not work with applications that send IP

addresses or protocol ports as data– unless NAT is programmed to recognize the application

(like FTP) and make changes in the data

– most implementations of NAT only recognize a few standard services

Slirp and Masquerade

• Two implementations of NAT came from UNIX– slirp

• A computer with a provate address dials in

• The computer starts PPP and gets access to the Internet

– masquerade• Can be configured to operate like a router between two

networks

Summary

• A VPN allows an organization to use the Internet to connect to multiple sites

• It uses encryption to guarantee privacy

• A VPN can be isolated or hybrid

• To communicate between hosts in different address domains– application gateways

• act like proxy receiving requests from a host in one domain to another in a different domain

– NAT provides access to the Internet from a host with a private address

For Next Time

• Read Chapter 21