andreas m ller overview q introduction to network address
play

Andreas Mller Overview q Introduction to Network Address Translation - PowerPoint PPT Presentation

Sep 05, 2023 •569 likes •1k views

Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU Mnchen ilab 2 Advanced NAT Andreas Mller Overview q Introduction to Network Address Translation q Behavior of NAT q The NAT Traversal

  1. Chair for Network Architectures and Services – Prof. Carle Department for Computer Science TU München ilab 2 Advanced NAT Andreas Müller

  2. Overview q Introduction to Network Address Translation q Behavior of NAT q The NAT Traversal problem q Solutions to the problem q Future of NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 2 2

  3. Problem q More and more devices connect to the Internet § PCs § Cell phones § Internet radios § TVs § Home appliances § Future: sensors, cars... q IP addresses need to be globally unique § IPv4 provides a 32bit field § Many addresses not usable because of classful allocation à We are running out of IP addresses ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 3 3

  4. Address Space q IP addresses are assigned by the Internet Assigned Numbers Authority (IANA) q RFC 1918 (published in in 1996) directs IANA to reserve the following IPv4 address ranges for private networks § 10.0.0.0 – 10.255.255.255 § 172.16.0.0 – 172.31.255.255 § 192.168.0.0 – 192.168.255.255 q The addresses may be used and reused by everyone § Not routed in the public Internet § Therefore a mechanism for translating addresses is needed ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 4 4

  5. First approach – Network Address Translation q Idea: only hosts communicating with the public Internet need a public address § Once a host connects to the Internet we need to allocate one § Communication inside the local network is not affected q A small number of public addresses may be enough for a large number of private clients q Only a subset of the private hosts can connect at the same time § not realistic anymore (always on) § we still need more than one public IP address ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 5 5

  6. NAPT: Network Address and Port Translation rest of local network Internet (e.g., home network) 10.0.0.1 10.0.0/24 10.0.0.4 10.0.0.2 138.76.29.7 10.0.0.3 Datagrams with source or All datagrams leaving local destination in this network network have same single source have 10.0.0/24 address for NAT IP address: 138.76.29.7, source, destination as usual different source port numbers ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 6 6

  7. NAT: Network Address Translation Implementation: NAT router must: § outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #) . . . remote clients/servers will respond using (NAT IP address, new port #) as destination addr. § remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair -> we have to maintain a state in the NAT § incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 7 7

  8. NAT: Network Address Translation NAT translation table 1: host 10.0.0.1 2: NAT router WAN side addr LAN side addr sends datagram to changes datagram 138.76.29.7, 5001 10.0.0.1, 3345 128.119.40.186, 80 source addr from …… …… 10.0.0.1, 3345 to 138.76.29.7, 5001, S: 10.0.0.1, 3345 updates table D: 128.119.40.186, 80 1 10.0.0.1 S: 138.76.29.7, 5001 2 10.0.0.4 D: 128.119.40.186, 80 138.76.29.7 S: 128.119.40.186, 80 10.0.0.2 4 D: 10.0.0.1, 3345 S: 128.119.40.186, 80 3 D: 138.76.29.7, 5001 4: NAT router 3: Reply arrives 10.0.0.3 changes datagram dest. address: dest addr from 138.76.29.7, 5001 138.76.29.7, 5001 to 10.0.0.1, 3345 ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 8 8

  9. NAT: Network Address Translation q NAPT: § ~65000 simultaneous connections with a single LAN-side address! § helps against the IP shortage § we can change addresses of devices in local network without notifying outside world § we can change ISP without changing local addresses § devices inside local net not explicitly addressable/visible by the outside world (a security plus) q NAT is controversal: § routers should only process up to layer 3 § violates end-to-end argument ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 9 9

  10. NAT Implementation q Implementation not standardized § thought as a temporary solution q implementation differs from model to model § if an application works with one NAT does not imply that is always works in a NATed environment q NAT behavior § Binding (which external mapping is allocated) • NAT binding • Port binding § Endpoint filtering (who is allowed to access the mapping) ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 10 10

  11. Binding q When creating a new state, the NAT has to assign a new source port and IP address to the connection q Port binding describes the strategy a NAT uses for the assignment of a new external source port § source port can only be preserved if not already taken q NAT binding describes the behavior of the NAT regarding the reuse of an existing binding § two consecutive connections from the same transport address (combination of IP address and port) § 2 different bindings? § If the binding is the same à Port prediction possible ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 11 11

  12. NAT binding q Endpoint Independent § the external port is only dependent on the source transport address § both connections have the same IP address and port q Address (Port) Dependent § dependent on the source and destination address § 2 different destinations result in two different bindings § 2 connections to the same destination: same binding q Endpoint Dependent § a new port is assigned for every connection § strategy could be random, but also something more predictable § Port prediction is hard ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 12 12

  13. NAT binding q Endpoint Independent § the external port is only dependent on the source transport address § both connections have the same IP address and port q Address (Port) Dependent § dependent on the source and destination address § 2 different destinations result in two different bindings § 2 connections to the same destination: same binding q Endpoint Dependent § a new port is assigned for every connection § strategy could be random, but also something more predictable § Port prediction is hard ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 13 13

  14. Endpoint filtering q Filtering describes § how existing mappings can be used by external hosts § How a NAT handles incoming connections q Independent-Filtering: § All inbound connections are allowed § As long as a packet matches a state it is forwarded § No security q Address Restricted Filtering: § packets coming from the same host (matching IP-Address) the initial packet was sent to are forwarded q Address and Port Restricted Filtering: § IP address and port must match ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 14 14

  15. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 15 15

  16. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 16 16

  17. Full Cone NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 17 17

  18. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 18 18

  19. Address Restricted Cone NAT ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 19 19

  20. NAT Types q With Binding and Filtering 4 NAT types can be defined (RFC 3489) q Full Cone NAT § Endpoint independent § Independent filtering q Address Restricted NAT § Endpoint independent binding § Address restricted filtering q Port Address Restricted NAT § Endpoint independent binding § Port address restricted filtering q Symmetric NAT § Endpoint dependent binding § Port address restricted filtering ilab2 – Advanced NAT Network Security, WS 2008/09, Chapter 9 20 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller

Preprocessing data SU P E R VISE D L E AR N IN G W ITH SC IK IT - L E AR N Andreas M ller Core de v eloper , scikit - learn Dealing w ith categorical feat u res Scikit - learn w ill not accept categorical feat u res b y defa u lt Need to

578 views • 34 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Midterm Review OSI, TCP/IP Wenyuan Xu What is the main responsibilities and

339 views • 12 slides
Data Link Layer MAC address Protocol Network Layer address must identify the network

Data Link Layer MAC address Protocol Network Layer address must identify the network

Overview What is a computer network? CSCE 515: What is the Internet? Computer Network What are the popular network reference Programming model? -- Review (partial) OSI, TCP/IP Wenyuan Xu What is the main responsibilities

299 views • 13 slides
The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach

The Pointer Assertion Logic Engine [PLDI 01] Anders M ller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach Model

371 views • 34 slides
Subnetting Used to subdivide a single IP network, to more efficiently utilize the address

Subnetting Used to subdivide a single IP network, to more efficiently utilize the address

Subnetting Used to subdivide a single IP network, to more efficiently utilize the address space (create subnets ) Also allows introduction of additional hierarchy of address space, so routers throughout internet dont need to know

472 views • 10 slides
Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview

Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview

1 Network Adequacy Advisory Council Introduction & Overview 2 Network Adequacy Overview & Plan Year 2020 Standards Network Adequacy CMS ECP/Network CMS Adequacy Silver State ECP/Network Template Health Adequacy Exchange Standards

2.11k views • 19 slides
Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL

Introduction Zynq Lecture 1 Andreas Habegger Introduction Zynq Introduction Zynq Introduction Zynq PS vs. PL Processing System Processor Peripherals Data Buses AXI Bus Conclusion BTE5380 - Embedded Systems Octobre 2014 Andreas Habegger

1.81k views • 30 slides
Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the

Virtual Private Network 1 Introduction Private network - physically disconnected from the outside Internet Users Authenticated Still vulnerable if the internal resources use IP address as the basis for authentication Content

598 views • 39 slides
1 Connection-oriented service Connectionless service Goal: data transfer between end systems

1 Connection-oriented service Connectionless service Goal: data transfer between end systems

A closer look at network structure: network edge: applications and hosts network core: Network Overview routers network of networks access networks, physical media: communication links Introduction Introduction 1-1 1-2

543 views • 8 slides
An Overview Introduction GMEX is an innovative new exchange developed to address problems

An Overview Introduction GMEX is an innovative new exchange developed to address problems

An overview An Overview Introduction GMEX is an innovative new exchange developed to address problems arising from recent regulatory change First product is GMEX IRS Constant Maturity Futures which provides an effective solution to

212 views • 19 slides
MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet,

MAC Addresses and ARP 32-bit IP address: network-layer address Mac Addressing, Ethernet, and used to get datagram to destination IP subnet MAC (or LAN or physical or Ethernet) Interconnections address: used to get datagram

424 views • 6 slides
Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof

Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof

Graph Entropy Measures in Publication Network Data Andreas Holzinger Bernhard Ofner Christof Stocker Andr Calero Valdez Anne Kathrin Schaar Martina Ziefle Matthias Dehmer page 1 Agenda 1 Overview CSP1 - Interdisciplinary Innovation

661 views • 17 slides
Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research

Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research

Network analysis and visualization for social media Andreas Kaltenbrunner Social Media Research Group, Barcelona Media, Barcelona, Spain School of advanced sciences of Luchon, July 3rd, 2014 Andreas Kaltenbrunner @akalten_bcn Network

917 views • 63 slides
Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources

Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources

Introduction cont. Network Core: Circuit Switching Lecture goal: Overview: network resources (e.g., bandwidth) divided into get context, overview, access net, physical media pieces feel of networking performance: loss,

803 views • 6 slides
2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in HEAP

2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in HEAP

KIT University of the State of Baden-Wrttemberg and National Research Center of the Helmholtz Association Experimental High-Energy Astroparticle Physics Andreas 2 Haungs haungs@kit.edu Andreas Haungs Content: 1. Introduction in

791 views • 62 slides
Stata Center Network Infrastructure Outline Introduction Physical topology overview Network

Stata Center Network Infrastructure Outline Introduction Physical topology overview Network

Stata Center Network Infrastructure Outline Introduction Physical topology overview Network design strategy Summary of specific requirements Proposal expectations/timeline Q&A Stata Center Network Infrastructure Introduction The Ray

604 views • 24 slides
IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info:

IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info:

IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za Goals & Motivation Why? What? Understanding of IPv6 Why IPv6?

676 views • 45 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2

Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2

CSC 4304 - Systems Programming Network Programming Fall 2010 Lecture - XV Network Programming - I Tevfik Ko ar Louisiana State University November 9 th , 2010 1 2 Sockets Ports A Socket is comprised of: Ports 0 through 1023 are

412 views • 5 slides
Review for CIS 1.0 CIS 1.0 review for final, by Yuqing Tang Final The Topics of CIS 1.0

Review for CIS 1.0 CIS 1.0 review for final, by Yuqing Tang Final The Topics of CIS 1.0

Review for CIS 1.0 CIS 1.0 review for final, by Yuqing Tang Final The Topics of CIS 1.0 Computer system hardware and software Machine architecture How hardware components being organized How computer program and data

1.19k views • 105 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

939 views • 66 slides
Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and

Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and

Postmarketing Drug Safety and Inspection Readiness June 19, 2018 Center for Drug Evaluation and Research (CDER) Small Business and Industry Assistance (SBIA) Webinar United States Food and Drug Administration (FDA) CDER / Office of Compliance

625 views • 61 slides
Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller <

Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller <

Introduction Instant Networking Name Resolution Service Discovery Summary Seminar: Ubiquitous Computing Instant Networking and Dynamic Service Discovery Tim Niemueller < tim@niemueller.de > Supervisor: Karl-Heinz-Krempels Lehrstuhl f

1.82k views • 134 slides
Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang,

ACM SIGCOMM 2005 Profiling I nternet Backbone Traffic: Behavior Models and Applications Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya University of Minnesota Sprint ATL August 24, 2005 Why profile traffic? Changes in

709 views • 25 slides

More recommend