Recall: Lec-6
• Sybil attacks and defenses:- What is sybil attack- How to defend against sybil attacks- Case study: DSybil- Case study: SybilGuard
P2P vs Global Companies
• In P2P years:- any node can message other nodes out of the blue- early Internet applications were P2P topology- all the peers were individual machines on the public
Internet
• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues
The Internet Evolved
• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues
The Internet Evolved
• What happened?- Big companies offer global services- Firewalls and NATs were proposed to fix the above issues- Originally separate; now bundled into same box- Back to “client/server” model from Peer-to-Peer model
• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues
The Internet Evolved
• What happened?- Big companies offer global services- Firewalls and NATs were proposed to fix the above issues- Originally separate; now bundled into same box- Back to “client/server” model from Peer-to-Peer model
• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues
• What happened?- Big companies offer global services- Firewalls and NATs were proposed to fix the above issues- Originally separate; now bundled into same box- Back to “client/server” model from Peer-to-Peer model
The Internet Evolved
• The Internet succeeded and evolved:- PC networking revolution- More and more nontechnical users accessed the Internet- IP address pressure from the 32-bit IP address space- Security, protection and management issues
• What happened?- Big companies offer global services- Firewalls and NATs were proposed to fix the above issues- Originally separate; now bundled into same box- Back to “client/server” model from Peer-to-Peer model
The Internet Evolved
2005-20071999
P2P Time
GFS[2003]
MapReduce[2004]
- Napster and BitTorrent- Unstructured P2P- DHTs
Cloud Time
Smart devices
- Cloud computing- Cloud storage- Cloud middle-box- ... ...
The Internet Evolved
2005-20071999
P2P Time
GFS[2003]
MapReduce[2004]
- Napster and BitTorrent- Unstructured P2P- DHTs
Cloud Time
Smart devices
- Cloud computing- Cloud storage- Cloud middle-box- ... ...
The Internet Evolved
Firewall & NATsBecame popular
2005-20071999
P2P Time
GFS[2003]
MapReduce[2004]
- Napster and BitTorrent- Unstructured P2P- DHTs
Cloud Time
Smart devices
- Cloud computing- Cloud storage- Cloud middle-box- ... ...
The Internet Evolved
Cloud companies need to do access control to manage enterprise networks!
Firewalls• Firewalls were proposed to fix security problems:
- Public networks and private networks- Inside: internal hosts assumed to be “friendly by default”- Outside: Public, external hosts assumed to be “unfriendly
by default”
Internal Network
Firewalls• Firewalls were proposed to fix security problems:
- Public networks and private networks- Inside: internal hosts assumed to be “friendly by default”- Outside: Public, external hosts assumed to be “unfriendly
by default”
• Administrators define access policies:- Allow certain applications, disallow others- Write rules or policies to manage internal networks
Firewalls• How does a typical firewall work:
- Look at the first packet on a connection- Making a decision based on the policies
- For allowed connections, first packet causes firewall to create an entry in a flow table
- Subsequent packets in either direction allowed if there is a flow table entry
- Flow usually identified by 5-tuple (source IP and port, dest IP and port, type of protocol)
Firewall Example (in iptables).... ....iptables -A INPUT -p udp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -s 172.168.14.6 -j DROPiptables -A INPUT -m limit --limit 6/seconds -p tcp -j ACCEPT
Firewall Example (in iptables).... ....iptables -A INPUT -p udp --dport 80 -j ACCEPTiptables -A INPUT -p tcp --dport 22 -j ACCEPTiptables -A INPUT -p tcp --dport 80 -j ACCEPTiptables -A INPUT -p tcp -s 172.168.14.6 -j DROPiptables -A INPUT -m limit --limit 6/seconds -p tcp -j ACCEPT
Linux Kernel
Netfilter
iptables
Firewalls
• Pros and Cons:- Pros: They do filter out a huge amount of harmful traffics- Cons: Bad guys can still bypass the firewall via other ways
- Cons: It is hard to reason about a complex firewall
Firewalls
• Pros and Cons:- Pros: They do filter out a huge amount of harmful traffics- Cons: Bad guys can still bypass the firewall via other ways
- Cons: It is hard to reason about a complex firewall
NAT
192.168.2.2
1.1.1.4S=192.168.2.2:4445D=1.1.1.4:7777
192.168.2.2:4445 1.1.1.8:10100
A Simple NAT Example
NAT
192.168.2.2
1.1.1.4
S=192.168.2.2:4445D=1.1.1.4:7777
192.168.2.2:4445 1.1.1.8:10100
S=1.1.1.8:10100D=1.1.1.4:7777
A Simple NAT Example
NAT (Network Address Translation)• NATs were proposed to fix IP address pressure:
- Internal hosts are assigned private IP addresses- Internal host initiates a flow from internal to external- NAT intercepts first packet; allocates a public source port using the
NAT’s own public IP address- NAT maintains a translation table:
Internal IPs and ports-> External IPs and ports- Uses table to perform the same mapping in reverse on subsequent
incoming packets on flow
IPv4 Private IP Addresses
• According to Internet Engineering Task Force (IETF) document RFC-1918:- 10.0.0.0/8 IP addresses: 10.0.0.0 -- 10.255.255.255- 172.16.0.0/12 IP addresses: 172.16.0.0 -- 172.31.255.255- 192.168.0.0/16 IP addresses: 192.168.0.0 -- 192.168.255.255
• NATs also address ease of use:- NAT only needs to buy one public IP address from ISP- Internal hosts only need to know their internal IP addresses- Users in the companies just plug in the cables without
knowing their IP addresses
NAT (Network Address Translation)
UDP Hole Punching
To write application for today’s global Internet, we need to work around ubiquity of firewalls and NATs.
• How can we make downstream traffic talk with specific hosts in the internal network?
• How can we make two hosts behind two NATs communicate with each other?
To write application for today’s global Internet, we need to work around ubiquity of firewalls and NATs.
• How can we make downstream traffic talk with specific hosts in the internal network?
• How can we make two hosts behind two NATs communicate with each other?
UDP Hole Punching
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Full Cone NAT• A full cone NAT is NAT where all the requests from the
same internal IP address and port are mapped to the same public IP and port.
• Once a mapping is created, all incoming traffic to the public address is routed to the internal host without checking the address of the remote host.
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321
D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321
D=192.168.2.2:4445 S=1.1.1.6:1234D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Full Cone
Full cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100S=1.1.1.5:4321
D=192.168.2.2:4445 S=1.1.1.6:1234D=1.1.1.4:10100
S=1.1.1.6:1234D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow ALL to 1.1.1.4:10100
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Restricted Cone NAT• A restricted cone NAT: like full cone all requests from the
same internal IP address and port are mapped to the same public IP and port.
• Unlike a full cone NAT, a remote host, with IP x, can send a packet to the internal host only if the internal host and had previously sent a packet to IP x.
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘S=192.168.2.2:4445D=1.1.1.6:7777
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘S=192.168.2.2:4445D=1.1.1.6:7777
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10100D=1.1.1.6:7777
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘
S=1.1.1.6:4321D=1.1.1.4:10100
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10100D=1.1.1.6:7777
Restricted Cone
Restricted cone NATHost A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:4321D=192.168.2.2:4445 S=1.1.1.6:1234
D=1.1.1.4:10100
S=1.1.1.6:4321D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5 to 1.1.1.4:10100Allow 1.1.1.6 to 1.1.1.4:10100
✘
S=1.1.1.6:4321D=1.1.1.4:10100
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10100D=1.1.1.6:7777
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Port Restricted Cone NAT
• A port restricted cone NATis like a restricted cone NAT, but the restriction includes port numbers.
• An external host can send a packet, with source IP x, and source port P, to the internal host only if the internal host had previously sent a packet to IP x and port P.
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Port Restricted Cone
Port restricted cone NAT
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Port Restricted Cone
Port restricted cone NAT
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Port Restricted Cone
Port restricted cone NAT
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
Port Restricted Cone
Port restricted cone NAT
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
Port Restricted Cone
Port restricted cone NAT
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
Port Restricted Cone
Port restricted cone NAT
✘
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
Port Restricted Cone
Port restricted cone NAT
✘S=1.1.1.5:7777D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Host A Host B Host C
192.168.2.2 1.1.1.5 1.1.1.61.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777 S=1.1.1.4:10100
D=1.1.1.5:7777
S=1.1.1.5:4321D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Port Restricted Cone
Port restricted cone NAT
✘S=1.1.1.5:7777D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Symmetric NAT• A symmetric NAT is a NAT where all requests from the
same Internal IP and port to a specific destination IP and port are mapped to the same ones.
• If the same internal host sends a packet with the same source IP and port to a different destination, a different mapping should be used.
• Only the external host that receives a packet can send a UDP packet back to the internal host.
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100
Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100
S=192.168.2.2:4445D=1.1.1.6:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10179D=1.1.1.6:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=1.1.1.6:7777D=1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10179D=1.1.1.6:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
S=1.1.1.6:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=1.1.1.6:7777D=1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10179D=1.1.1.6:7777
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
S=1.1.1.6:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=1.1.1.6:7777D=1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10179D=1.1.1.6:7777
S=1.1.1.6:7777D=1.1.1.4:10100
Symmetric Cone
Symmetric NATHost A Host B Host C
192.168.2.21.1.1.5 1.1.1.6
1.1.1.4
S=192.168.2.2:4445D=1.1.1.5:7777
S=1.1.1.4:10100D=1.1.1.5:7777
S=1.1.1.5:7777D=1.1.1.4:10100
S=1.1.1.5:7777D=192.168.2.2:4445
S=1.1.1.6:7777D=192.168.2.2:4445
Mapping:192.168.2.2:4445 1.1.1.4:10100192.168.2.2:4445 1.1.1.4:10179Policy:Allow 1.1.1.5:7777 to 1.1.1.4:10100Allow 1.1.1.6:7777 to 1.1.1.4:10179
S=1.1.1.6:7777D=1.1.1.4:10179
S=192.168.2.2:4445D=1.1.1.6:7777
S=1.1.1.4:10179D=1.1.1.6:7777
S=1.1.1.6:7777D=1.1.1.4:10100
✘
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
Four Different Categories of NATs• NATs have four different categories:
- Full cone NAT- A restricted cone NAT- A port restricted cone NAT- A symmetric NAT
How to make two hosts behind different NATs communicate with each other?
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
NAT155.9.3.1
NAT132.76.29.7
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
NAT155.9.3.1
NAT132.76.29.7
Restricted NAT
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
NAT155.9.3.1
NAT132.76.29.7
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
1. Allow 18.181.3.3 to me
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me
1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
✘
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
✘
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me
1. Allow 18.181.3.3 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
✘
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me
1. Allow 18.181.3.3 to me2. Allow 155.9.3.1 to me
Two Hosts Behind NATs
Host A Host B
Server18.181.3.3
192.168.2.2 192.168.2.1
✘
1. Host A: Public (155.9.3.1:1900)Private (192.168.2.2:4321)2. Host B:Public (132.76.29.7:7777)Private (192.168.2.1:9999)
NAT155.9.3.1
NAT132.76.29.7
1. Allow 18.181.3.3 to me2. Allow 132.76.29.7 to me
1. Allow 18.181.3.3 to me2. Allow 155.9.3.1 to me
✔
Software Defined Networks
• We need to have an approach to easily manage the control plane for entire enterprise networks
Software Defined Networks• Decouple control and data planes by providing open
standard APIs
ControllerPla+orm
Software Defined Networks• Decouple control and data planes by providing open
standard APIs
ControllerPla+orm
Controller Appication 1
Controller Appication 2
Software Defined Networks• Decouple control and data planes by providing open
standard APIs
ControllerPla+orm
Controller Appication 1
Controller Appication 2
Rules
Rules
Rules
RulesRules
Rules