ilab
play

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr - PowerPoint PPT Presentation

Jan 07, 2023 •229 likes •784 views

iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 6 16ss 1 / 34 Motivation: IPv4 Address Scarcity source:

  1. iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München Lab 6 – 16ss 1 / 34

  2. Motivation: IPv4 Address Scarcity source: http://www.heise.de/newsticker/meldung/RIPE-72-Streit-um-letzte-IPv4-Adressen-3221309.html 2 / 34

  3. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 3 / 34

  4. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 4 / 34

  5. Yearly Address Allocations source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 5 / 34

  6. Allocated Address Blocks source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015) 6 / 34

  7. IPv4 Address Allocation in 2012 source: A. Dainotti et al., Estimating Internet address space usage through passive measurements, ACM Computer Communication Review (2014) 7 / 34

  8. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading 8 / 34

  9. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 8 / 34

  10. IPv4 Address Scarcity: Mitigation Strategies ◮ a) more efficient use of the address space → e.g. use unrouted addresses, address trading ◮ b) create more addresses → IPv6 ◮ c) address sharing → NAT 8 / 34

  11. a) IPv4 Address Market Address trading / company mergers ◮ in 2011 Microsoft bought 667K IPv4 addresses for 7.5M, that makes USD 11.25 per address source: http://www.theregister.co.uk/2011/03/24/microsoft_ip_spend ◮ in 2011 the bankrupt bookseller Borders offered 65K IPv4 addresses for USD 12 per address source: http://www.theregister.co.uk/2011/12/05/borders_flogs_ipv4_addys ◮ IPv4 Address Trading Portals e.g. http://addrex.net, http://www.iptrading.com, http://ipv4marketgroup.com Address pricing ◮ opaque, transactions not public ◮ further reading: Lee Howard, Internet Access Pricing in a Post-IPv4 Runout World, http://www.asgard.org/images/pricing_v1.3.docx 9 / 34

  12. b) IPv6 Deployment ◮ IPv6 still accounts for < 1% of the Internet traffic, but IPv6 traffic grows by 400% each year source: J. Czyz et al., Measuring IPv6 Adoption, SIGCOMM’14 http://www.icir.org/mallman/pubs/CAZ+14/CAZ+14- talk.pdf https://www.google.com/intl/en/ipv6/statistics.html ◮ many ISPs already offer native IPv6: e.g. Deutsche Telekom, Kabel Deutschland, M-Net in Germany see: https://en.wikipedia.org/wiki/IPv6_deployment 10 / 34

  13. b) IPv6 Deployment (cont.) source: https://blogs.akamai.com/2015/06/three-years-since-world-ipv6-launch-strong-ipv6-growth-continues.html 11 / 34

  14. c) Address Sharing: Private IPv4 Address Ranges Properties ◮ anyone can use these IP address ranges in their own network ◮ addresses are not routed in the public Internet ◮ Internet access through address translation → NAT Address Ranges ◮ RFC 1918 reserves the following IPv4 address ranges ◮ 10.0.0.0/8 ◮ 172.16.0.0/12 ◮ 192.168.0.0/16 ◮ RFC 6598 reserves an additional range for ISP networks ◮ 100.64.0.0/10 ◮ RFC 4193 specifies Unique Local IPv6 addresses ◮ fc00::/7 12 / 34

  15. Outline IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP 13 / 34

  16. Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint 14 / 34

  17. Concept: Providing Internet Access for Private IPs Private Host Internet e.g. 192.168.1.42 ◮ outgoing packet: replace packet source with public endpoint Private Host Internet e.g. 192.168.1.42 ◮ incoming packet: replace packet destination with local host 14 / 34

  18. Network Address (and Port) Translation (NAT) Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34

  19. Network Address (and Port) Translation (NAT) Packet src: 192.168.1.43:3345 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 15 / 34

  20. Network Address (and Port) Translation (NAT) Packet src: dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  21. Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  22. Network Address (and Port) Translation (NAT) Packet src: 1.2.3.4:4444 dst: 131.159.15.49:80 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets 15 / 34

  23. Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 1.2.3.4:4444 dst: 131.159.15.49:80 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint 15 / 34

  24. Network Address (and Port) Translation (NAT) NAT translation table Packet L4 global endpoint local endpoint src: 131.159.15.49:80 dst: 1.2.3.4:4444 TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint 15 / 34

  25. Network Address (and Port) Translation (NAT) NAT translation table Packet Packet L4 global endpoint local endpoint src: 131.159.15.49:80 src: 131.159.15.49:80 dst: 192.168.1.43:3345 dst: TCP 1.2.3.4:4444 192.168.1.43:3345 Private Host 192.168.1.42 Server NAT 131.159.15.49 Internet pub: 1.2.3.4 Private Host priv: 192.168.1.1 192.168.1.43 ◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint ◮ replace dst IP (and port) in incoming packets 15 / 34

  26. NAT in Practice Deployment ◮ today the majority of end users are located behind NAT (+ other middleboxes) ◮ no standardization of NAT → many different implementations ◮ transparent to the public Internet 16 / 34

  27. NAT in Practice (contd.) Benefits ◮ effectively saves IP addresses: allows ∼ 65,000 simultaneous flows with a single public IP address ◮ address independence: public/private IP addresses can be changed independently ◮ topology hiding: devices inside local network are not explicitly addressable/visible from outside Problems ◮ connections can only be established from the local network ◮ ports should not be used to address hosts ◮ routers should not manipulate packets above layer 2 (end-to-end principle) 17 / 34

  28. Protocols Affected by NAT characteristics of protocols that are affected by NAT (RFC 3027): ◮ server located in the local network ◮ any service behind NAT, peer-to-peer applications ◮ realm-specific IP address information in payload ◮ e.g. SIP, FTP ◮ bundled session applications ◮ protocols using multiple connections, e.g. active FTP ◮ unsupported protocols ◮ e.g. SCTP, IPsec 18 / 34

  29. Example: Session Initiation Protocol (SIP) INVITE message: establish a session (e.g. VoIP call) between peers INVITE s i p : Callee@200 . 3 . 4 . 5 SIP /2.0 Via : SIP /2.0/UDP 192.168.1.5:5060 s r c : < s i p : Caller@192.168.1.5 > dst : <s i p : Callee@200 .3.4.5 > CSeq : 1 INVITE Contact : <s i p : Caller@192 .168.1.5:5060 > Content − Type : a p p l i c a t i o n /sdp v=0 o=A l i c e 214365879 214365879 IN IP4 192.168.1.5 c=IN IP4 192.168.1.5 t= 0 0 m =audio 5200 RTP/AVP 0 9 7 3 a=rtpmap :8 PCMU/8000 a=rtpmap :3 GSM/8000 19 / 34

  30. Example: File Transfer Protocol (FTP) control connection FTP Server FTP Client FTP uses ◮ a persistent control connection 20 / 34

  31. Example: File Transfer Protocol (FTP) data connection control connection FTP Server FTP Client FTP uses ◮ a persistent control connection ◮ an on-demand data connection e.g. PORT command for 10.0.0.1:1025 PORT 10 , 0 , 0 , 1 , 4 , 1 20 / 34

  32. Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts 21 / 34

  33. Problem mitigation ◮ port forwarding ◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts ◮ application layer gateway (ALG) ◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device 21 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

your exercise iLab 1+2 info event online Tell your friends!

your exercise iLab 1+2 info event online Tell your friends!

The iLab Experience a blended learning hands-on course concept you set the focus Final Lecture Marc-Oliver Pahl, Jul 25, 2017 your exercise iLab 1+2 info event online Tell your friends!

1.81k views • 96 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Countersurveillance Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Surveillance and operational security 14ws 1 lecture evaluation oral

916 views • 30 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 4 TCP/UDP Purpose of the Transport Layer Provides an end to end connectivity to applications application application 4

647 views • 26 slides
iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TLS and packet filters Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 7 17ws 1 / 41 Outline Trust Transport Layer Security Packet filter

1.19k views • 43 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 18ss 1 / 36 Outline Introduction Trust architecture Protocols Attacks

663 views • 45 slides
iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste

iLab Onion Routing Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 9 16ss 1 / 38 Outline Introduction Trust architecture Protocols Attacks

879 views • 47 slides
course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance,

course evaluation room for attestations: 03.05.051 iLab Threat modelling, surveillance, operational security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt

986 views • 47 slides
iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab TCP / UDP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 4 14ws 1 Outline Transport Layer UDP TCP MTCP / SCTP 2 Outline

720 views • 32 slides
ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one

Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen ilab Lab 8 - SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL (Secure Socket Layer) /

812 views • 25 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen October 18, 2017 Based on slides of Lukas Schwaighofer 1

678 views • 46 slides
iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr

iLab 2 Internet Protocol version 6 Stefan Liebald liebald@net.in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen April 25, 2017 Based on slides of Lukas Schwaighofer 1

471 views • 10 slides
iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de

iLab Static routing Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 2 17ws 1 / 21 Outline Meta

540 views • 27 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und

iLab Wireless Networks Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Lab 10 16ss 1 / 32 Oral attestations available dates Friday,

521 views • 33 slides
CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming Languages Foundations of

CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming Languages Foundations of

CS 251 Fall 2019 CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood Ben Wood Virtual Memory Process Abstraction, Part 2: Private Address Space Motivation : why not direct physical memory access?

556 views • 39 slides
Part 2, course 2: Cache Oblivious Algorithms CR10: Data Aware Algorithms October 2, 2019 Agenda

Part 2, course 2: Cache Oblivious Algorithms CR10: Data Aware Algorithms October 2, 2019 Agenda

Part 2, course 2: Cache Oblivious Algorithms CR10: Data Aware Algorithms October 2, 2019 Agenda Previous course (Sep. 25): Ideal Cache Model and External Memory Algorithms Today: Cache Oblivious Algorithms and Data Structures Next week

554 views • 36 slides
Pr ts

Pr ts

Pr ts t rt t s rst Ptr

621 views • 25 slides
Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures)

Compiler Construction Lecture 18: Code Generation V (Implementation of Dynamic Data Structures) Thomas Noll Lehrstuhl f ur Informatik 2 (Software Modeling and Verification) noll@cs.rwth-aachen.de

945 views • 46 slides
EmTOS An environment that includes mote s (running on TinyOS) and mic r s (more ose r ve r A

EmTOS An environment that includes mote s (running on TinyOS) and mic r s (more ose r ve r A

What is a Heterogeneous System? EmTOS An environment that includes mote s (running on TinyOS) and mic r s (more ose r ve r A Platform for Simulating expensive, high-power, low-distribution Heterogeneous Systems servers running on

151 views • 4 slides
IPv6 session Introduction APAN 29 2010 Sydney 10 th February, 2010 W hy I Pv6 ? W hy I Pv6 ?

IPv6 session Introduction APAN 29 2010 Sydney 10 th February, 2010 W hy I Pv6 ? W hy I Pv6 ?

IPv6 session Introduction APAN 29 2010 Sydney 10 th February, 2010 W hy I Pv6 ? W hy I Pv6 ? Early in the 1990s it was apparent that the explosive growth of the that the explosive growth of the internet meant that current internet

218 views • 20 slides
Linking Today Static linking Object files Static &amp; dynamically linked libraries

Linking Today Static linking Object files Static &amp; dynamically linked libraries

Linking Today Static linking Object files Static &amp; dynamically linked libraries Next time Exceptional control flows Chris Riesbeck, Fall 2011 Original: Fabian Bustamante Wednesday, November 16, 2011 Checkpoint Wednesday,

507 views • 29 slides
XploRe Course - Day 1 Uwe Ziegenhagen Sigbert Klinke ur Statistik and Institut f

XploRe Course - Day 1 Uwe Ziegenhagen Sigbert Klinke ur Statistik and Institut f

XploRe Course - Day 1 Uwe Ziegenhagen Sigbert Klinke ur Statistik and Institut f Okonometrie Humboldt-Universit at zu Berlin http://ise.wiwi.hu-berlin.de 0-2 Outline of the Course Day 1 (Uwe Ziegenhagen) Introduction

551 views • 41 slides

More recommend