bob.test
DESCRIPTION
Bob.test. Have Road Runner Unhappy about reports of constant probes of machines Policy decision I want to prevent unauthorized probes/connection attempts on my machines Mechanism Purchase some sort of firewall for my home network. Configuration. Grumpy. Cable Modem. Router. Reiker. - PowerPoint PPT PresentationTRANSCRIPT
04/20/23 Home Networking 1
Bob.test
• Have Road Runner• Unhappy about reports of constant probes
of machines• Policy decision
– I want to prevent unauthorized probes/connection attempts on my machines
• Mechanism– Purchase some sort of firewall for my home
network
04/20/23 Home Networking 2
Configuration
Internet Cable Modem Router
Grumpy
Desktops
Reiker
04/20/23 Home Networking 3
Private IP Addresses
• The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (RFC1597):– 10.0.0.0 - 10.255.255.255 (class A)– 172.16.0.0 - 172.31.255.255 (class B)– 192.168.0.0 - 192.168.255.255 (class C)
• These addresses are not routable– Meaning that they will not be routed by an ISP
04/20/23 Home Networking 4
Address Management
Internet Cable Modem Router
Grumpy
Reiker
Desktops
Assigned via DHCP (grumpy)(192.168.0.100 – 192.168.0.200)
192.168.1.254
192.168.1.1
192.168.1.2
Assigned via DHCP (RR)66.67.3.170
04/20/23 Home Networking 5
How Does This Help?
Internet Cable Modem Router
Grumpy
Reiker
Desktops
Assigned via DHCP (grumpy)(192.168.0.100 – 192.168.0.200)
192.168.1.1
192.168.1.2
Because these use private addressescannot be used beyond the router
Can’t get in or out!!!
04/20/23 Home Networking 6
Mystery
• Mouse opens a TCP connection to the CS department’s web server– Grumpy’s address is 192.168.1.1– Destination is 129.21.30.29– The packet arrives at RIT– RIT responds – but 192.168.1.1 is a private
address and will not be routed through the Internet
– How does Grumpy communicate with the outside world?
04/20/23 Home Networking 7
Network Address Translation
• Network Address Translation (NAT) makes this all possible (RFC2663 & RFC2766)– Private traffic for the Internet arrives at the router
(sometimes called a NAT box)– The router changes the source IP address to the “rea
l” IP address– Packet is sent as usual– Reply arrives at router– Now what? How do we know what private address to
route it to?
04/20/23 Home Networking 8
A Little TCP
192.168.1.1:2004
129.21.30.29 :1024
Both endpoints, together, uniquely define a TCP connection (192.168.1.1,2024, 129.21.30.29,1024)
Dest: 129.21.30.29 :1024Src: 192.168.1.1:2024
Dest: 192.168.1.1:2024Src: 129.21.30.29 :1024
04/20/23 Home Networking 9
Address Translation
192.168.1.1:2004
129.21.30.29 :1024
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 66.67.3.170:2024Src: 129.21.30.29:80
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:2024
Dest: 192.168.1.1:2024Src: 129.21.30.29:80
04/20/23 Home Networking 10
How to Route?
• If a NAT box is managing several TCP connections, how does it know who to route incoming packets to?– Key is port numbers
• (IPsrc, Portsrc, IPdest, Portdest)
– Create map• Key (Portsrc, IPdest, Portdest)
• Value (IPsrc)
– Why have Portsrc in the key?
04/20/23 Home Networking 11
Problem
192.168.1.1:2004
129.21.30.29 :80
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 129.21.30.29:80Src: 66.67.3.170:1024
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:1024
Dest: 129.21.30.29:80Src: 192.168.1.2:2024
192.168.1.2:2004
04/20/23 Home Networking 12
NAPT
• Includes port numbers in the translation– Client actually opens connection with NAT
box (thus has unique end points)– NAT box in turn open connection with real
server (again unique end points)– Now when packet arrives from server has
NAT assigned port as destination
• The term NAT is often used in place of NAPT
04/20/23 Home Networking 13
NAPT Translation Table
Private Address
Private Port
External Address
External Port
NAT Port
Protocol Used
192.168.1.1 2024 129.21.30.29 80 14003 TCP
192.1.68.1.2 2024 129.2.1.30.29 80 14004 TCP
04/20/23 Home Networking 14
NAPT Translation
192.168.1.1:2004
129.21.30.29 :80
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
Dest: 129.21.30.29:80Src: 66.67.3.170:14004
NAT Box
Dest: 129.21.30.29 :80Src: 66.67.3.170:14003
Dest: 129.21.30.29:80Src: 192.168.1.1:2024
192.168.1.2:2004
04/20/23 Home Networking 15
Common Characteristics
• All flavors of NAT devices should share the following characteristics.– Transparent Address assignment.– Transparent routing through address
translation. (routing here refers to forwarding packets, and not exchanging routing information)
– ICMP error packet payload translation.