iLab NAT / DHCP Florian Wohlfart wohlfart@in.tum.de Lehrstuhl fr - - PowerPoint PPT Presentation

iLab

NAT / DHCP Florian Wohlfart wohlfart@in.tum.de

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München

Lab 6 – 16ss

1 / 34

Motivation: IPv4 Address Scarcity

source: http://www.heise.de/newsticker/meldung/RIPE-72-Streit-um-letzte-IPv4-Adressen-3221309.html

2 / 34

Outline

IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP

3 / 34

Outline

IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP

4 / 34

Yearly Address Allocations

source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015)

5 / 34

Allocated Address Blocks

source: P. Richter et al., A Primer on IPv4 Scarcity, ACM Computer Communication Review (2015)

6 / 34

IPv4 Address Allocation in 2012

source: A. Dainotti et al., Estimating Internet address space usage through passive measurements, ACM Computer Communication Review (2014)

7 / 34

IPv4 Address Scarcity: Mitigation Strategies

◮ a) more efficient use of the address space

→ e.g. use unrouted addresses, address trading

8 / 34

IPv4 Address Scarcity: Mitigation Strategies

◮ a) more efficient use of the address space

→ e.g. use unrouted addresses, address trading

◮ b) create more addresses

→ IPv6

8 / 34

IPv4 Address Scarcity: Mitigation Strategies

◮ a) more efficient use of the address space

→ e.g. use unrouted addresses, address trading

◮ b) create more addresses

→ IPv6

◮ c) address sharing

→ NAT

8 / 34

a) IPv4 Address Market

Address trading / company mergers

◮ in 2011 Microsoft bought 667K IPv4 addresses for 7.5M, that

makes USD 11.25 per address

source: http://www.theregister.co.uk/2011/03/24/microsoft_ip_spend

◮ in 2011 the bankrupt bookseller Borders offered 65K IPv4

addresses for USD 12 per address

source: http://www.theregister.co.uk/2011/12/05/borders_flogs_ipv4_addys

◮ IPv4 Address Trading Portals

e.g. http://addrex.net, http://www.iptrading.com, http://ipv4marketgroup.com

Address pricing

◮ opaque, transactions not public ◮

further reading: Lee Howard, Internet Access Pricing in a Post-IPv4 Runout World, http://www.asgard.org/images/pricing_v1.3.docx

9 / 34

b) IPv6 Deployment

◮ IPv6 still accounts for < 1% of the Internet traffic, but IPv6

traffic grows by 400% each year

source: J. Czyz et al., Measuring IPv6 Adoption, SIGCOMM’14 http://www.icir.org/mallman/pubs/CAZ+14/CAZ+14- talk.pdf https://www.google.com/intl/en/ipv6/statistics.html

◮ many ISPs already offer native IPv6: e.g. Deutsche Telekom,

Kabel Deutschland, M-Net in Germany

see: https://en.wikipedia.org/wiki/IPv6_deployment

10 / 34

b) IPv6 Deployment (cont.)

source: https://blogs.akamai.com/2015/06/three-years-since-world-ipv6-launch-strong-ipv6-growth-continues.html

11 / 34

c) Address Sharing: Private IPv4 Address Ranges

Properties

◮ anyone can use these IP address ranges in their own network ◮ addresses are not routed in the public Internet ◮ Internet access through address translation → NAT

Address Ranges

◮ RFC 1918 reserves the following IPv4 address ranges

◮ 10.0.0.0/8 ◮ 172.16.0.0/12 ◮ 192.168.0.0/16

◮ RFC 6598 reserves an additional range for ISP networks

◮ 100.64.0.0/10

◮ RFC 4193 specifies Unique Local IPv6 addresses

◮ fc00::/7

12 / 34

Outline

IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP

13 / 34

Concept: Providing Internet Access for Private IPs

Internet Private Host e.g. 192.168.1.42

◮ outgoing packet: replace packet source with public endpoint 14 / 34

Concept: Providing Internet Access for Private IPs

Internet Private Host e.g. 192.168.1.42

◮ outgoing packet: replace packet source with public endpoint

Internet Private Host e.g. 192.168.1.42

◮ incoming packet: replace packet destination with local host 14 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43

15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 Packet

src: 192.168.1.43:3345 dst: 131.159.15.49:80

15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 Packet

src: dst: 131.159.15.49:80

◮ replace src IP (and port) in outgoing packets 15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 Packet

src: 1.2.3.4 dst: 131.159.15.49:80

◮ replace src IP (and port) in outgoing packets 15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 Packet

src: 1.2.3.4:4444 dst: 131.159.15.49:80

◮ replace src IP (and port) in outgoing packets 15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 NAT translation table L4 global endpoint local endpoint

TCP 1.2.3.4:4444 192.168.1.43:3345

Packet

src: 1.2.3.4:4444 dst: 131.159.15.49:80

◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint 15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 NAT translation table L4 global endpoint local endpoint

TCP 1.2.3.4:4444 192.168.1.43:3345

Packet

src: 131.159.15.49:80 dst: 1.2.3.4:4444

◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint 15 / 34

Network Address (and Port) Translation (NAT)

Server 131.159.15.49 Internet NAT pub: 1.2.3.4 priv: 192.168.1.1 Private Host 192.168.1.42 Private Host 192.168.1.43 NAT translation table L4 global endpoint local endpoint

TCP 1.2.3.4:4444 192.168.1.43:3345

Packet

src: 131.159.15.49:80 dst:

Packet

src: 131.159.15.49:80 dst: 192.168.1.43:3345

◮ replace src IP (and port) in outgoing packets ◮ remember mapping of private and public endpoint ◮ lookup mapping of private and public endpoint ◮ replace dst IP (and port) in incoming packets 15 / 34

NAT in Practice

Deployment

◮ today the majority of end users are located behind NAT

(+ other middleboxes)

◮ no standardization of NAT

→ many different implementations

◮ transparent to the public Internet 16 / 34

NAT in Practice (contd.)

Benefits

◮ effectively saves IP addresses: allows ∼65,000 simultaneous

flows with a single public IP address

◮ address independence: public/private IP addresses can be

changed independently

◮ topology hiding: devices inside local network are not explicitly

addressable/visible from outside

Problems

◮ connections can only be established from the local

network

◮ ports should not be used to address hosts ◮ routers should not manipulate packets above layer 2

(end-to-end principle)

17 / 34

Protocols Affected by NAT

characteristics of protocols that are affected by NAT (RFC 3027):

◮ server located in the local network

◮ any service behind NAT, peer-to-peer applications

◮ realm-specific IP address information in payload

◮ e.g. SIP, FTP

◮ bundled session applications

◮ protocols using multiple connections, e.g. active FTP

◮ unsupported protocols

◮ e.g. SCTP, IPsec

18 / 34

Example: Session Initiation Protocol (SIP)

INVITE message: establish a session (e.g. VoIP call) between peers INVITE s i p : Callee@200 . 3 . 4 . 5 SIP /2.0 Via : SIP /2.0/UDP 192.168.1.5:5060 s r c : < s i p : Caller@192.168.1.5 > dst : <s i p : Callee@200 .3.4.5 > CSeq : 1 INVITE Contact : <s i p : Caller@192 .168.1.5:5060 > Content−Type : a p p l i c a t i o n /sdp v=0

• =A l i c e

214365879 214365879 IN IP4 192.168.1.5 c=IN IP4 192.168.1.5 t= 0 0 m =audio 5200 RTP/AVP 0 9 7 3 a=rtpmap :8 PCMU/8000 a=rtpmap :3 GSM/8000

19 / 34

Example: File Transfer Protocol (FTP)

FTP Server FTP Client control connection FTP uses

◮ a persistent control connection 20 / 34

Example: File Transfer Protocol (FTP)

FTP Server FTP Client control connection data connection FTP uses

◮ a persistent control connection ◮ an on-demand data connection

e.g. PORT command for 10.0.0.1:1025 PORT 10 , 0 , 0 , 1 , 4 , 1

20 / 34

Problem mitigation

◮ port forwarding

◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts

21 / 34

Problem mitigation

◮ port forwarding

◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts

◮ application layer gateway (ALG)

◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device

21 / 34

Problem mitigation

◮ port forwarding

◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts

◮ application layer gateway (ALG)

◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device

◮ hole punching

◮ end hosts try to establish a direct connection to each other ◮ requires support in the end hosts, dependent on NAT

implementation, UDP works better than TCP

21 / 34

Problem mitigation

◮ port forwarding

◮ static entry in the NAT state table (manually or via protocol) ◮ requires support in the NAT and end hosts

◮ application layer gateway (ALG)

◮ NAT analyzes and rewrites application layer protocols, e.g. FTP ◮ requires support for every protocol in the NAT device

◮ hole punching

◮ end hosts try to establish a direct connection to each other ◮ requires support in the end hosts, dependent on NAT

implementation, UDP works better than TCP

◮ relay server

◮ public relay server forwards data ◮ affects bandwith and latency

21 / 34

Outline

IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP

22 / 34

IPv4 and IPv6 Coexistence

Transition Phase

◮ IPv4 and IPv6 coexist during the transition phase ◮ ISPs need to provide access to IPv4-only services ◮ ISPs with a growing customer base face a tradeoff

buying IPv4 addresses vs. Large Scale NAT (LSN)

Extend the lifetime of IPv4

◮ Carrier Grade NAT (NAT444)

Transition to IPv6

◮ Native IPv6, tunneled/translated IPv4:

e.g. Dual-Stack Lite, 464XLAT

◮ many more (usually require CGN)

see: N. Škoberne et al., IPv4 address sharing mechanism classification and tradeoff analysis, IEEE/ACM Transactions on Networking (2014)

23 / 34

Carrier Grade NAT (NAT444)

Cellular Networks Fixed-line Networks

◮ widespread deployment in mobile networks ◮ growing deployment (esp. new customers) in fixed-line networks ◮

further reading: P. Richter et al., A Multi-perspective Analysis of Carrier-Grade NAT Deployment, in submission, http://arxiv.org/abs/1605.05606

24 / 34

IPv6 Transition Techniques: Dual-Stack Lite

E.g. Comcast (US), Unitymedia (DE), Kabel Deutschland (DE)

http://corporate.comcast.com/comcast-voices/comcast-reaches-key-milestone-in-launch-of-ipv6-broadband-network http://www.heise.de/netze/meldung/Kabel-Deutschland-stellt-Internetzugaenge-auf-IPv6-um-2069367.html

25 / 34

IPv6 Transition Techniques: 464XLAT

E.g. T-Mobile US

http://www.internetsociety.org/deploy360/resources/case-study-t-mobile-us-goes-ipv6-only-using-464xlat

26 / 34

IPv6 Transition Techniques: 464XLAT

Customer-side translation (CLAT)

◮ private IPv4 is translated into IPv6 using Stateless IP/ICMP

Translation (SIIT)

◮ stateless translation between reserved IPv6 address range

(::ffff:0:0:0/96) and IPv4 addresses

26 / 34

IPv6 Transition Techniques: 464XLAT

Provider-side translation (PLAT)

◮ translate IPv4-translated addresses to IPv4 using NAT64 and

DNS64

26 / 34

Conclusion

NAT deployment

◮ widespread NAT deployment is one reason for the slow

adoption of IPv6

source: L. Zhang, A Retrospective View of Network Address Translation, IEEE Network Sep/Oct 2008

◮ NAT will be around until nobody uses IPv4 any more

Carrier Grade NAT

◮ limited control over the NAT function (e.g. no port forwarding) ◮ multiple customers share the same public IP address

→ hampers crimial prosecution based on IP address

◮ customers can interfere with each other

→ number of concurrent connections

◮ logging each mapping is expensive

→ bulk port allocation

27 / 34

Test your own Connection

◮ NAT Analyzer

◮ web-based test to understand NAT behavior ◮ nattest.net.in.tum.de

◮ Netalyzr

◮ web-based test or Android application ◮ more than 100 tests including NAT behavior ◮ netalyzr.icsi.berkeley.edu

28 / 34

Outline

IPv4 Address Scarcity NAT IPv6 Transition Techniques DHCP

29 / 34

Dynamic Host Configuration Protocol (DHCP)

Motivation

◮ manual network configuration of hosts not scalable

General Concepts

◮ automated configuration of network parameters

e.g. IP addresses, subnets, gateway, DNS server, etc.

◮ UDP-based client-server protocol ◮ servers lease IP addresses to clients for a certain amount of

time

◮ stateful server, can make decisions based on client history ◮ extensible through DHCP options 30 / 34

DHCPv4 Protocol

◮ UDP protocol on top of IPv4 (server port 67, client port 68) ◮ uses IPv4 broadcast packets

Client DHCP Server

31 / 34

DHCPv4 Protocol

◮ UDP protocol on top of IPv4 (server port 67, client port 68) ◮ uses IPv4 broadcast packets

Client DHCP Server

discover

◮ discover message: client announces its presence in the

network (L2 broadcast)

31 / 34

DHCPv4 Protocol

◮ UDP protocol on top of IPv4 (server port 67, client port 68) ◮ uses IPv4 broadcast packets

Client DHCP Server

discover

• ffer

◮ discover message: client announces its presence in the

network (L2 broadcast)

◮ offer message: server(s) make a lease offer to the client. 31 / 34

DHCPv4 Protocol

◮ UDP protocol on top of IPv4 (server port 67, client port 68) ◮ uses IPv4 broadcast packets

Client DHCP Server

discover

• ffer

request

◮ discover message: client announces its presence in the

network (L2 broadcast)

◮ offer message: server(s) make a lease offer to the client. ◮ request message: client accepts an offer and requests the

• ffered configuration (L2 broadcast)

◮ implicitly denies offers of other servers ◮ is also used to extend the lease of a currently used configuration

31 / 34

DHCPv4 Protocol

◮ UDP protocol on top of IPv4 (server port 67, client port 68) ◮ uses IPv4 broadcast packets

Client DHCP Server

discover

• ffer

request acknowledge

◮ discover message: client announces its presence in the

network (L2 broadcast)

◮ offer message: server(s) make a lease offer to the client. ◮ request message: client accepts an offer and requests the

• ffered configuration (L2 broadcast)

◮ implicitly denies offers of other servers ◮ is also used to extend the lease of a currently used configuration

◮ acknowledge message: server leases a configuration to the

client

31 / 34

DHCPv6 Protocol

◮ UDP protocol on top of IPv6 (server port 547, client port 546) ◮ protocol sequence similar to DHCPv4

Client DHCP Server

solicit advertise request reply

◮ uses IPv6 multicast packets ◮ uses DHCP Unique Identifiers (DUIDs) to identify the client

instead of MAC addresses

32 / 34

DHCPv6 vs. SLAAC

◮ DHCPv6 can complement SLAAC or completely replace it ◮ DHCPv6 provides more configuration parameters than SLAAC

(and can easily be extended) e.g. DNS server configuration: router advertisements require RDNSS extension (RFC6106), not supported by all clients

◮ DHCPv6 allows fine-grained control over the allocated

addresses and centralized address logging

33 / 34

DHCPv6 Prefix Delegation

2001:0DB8::/64 2001:0DB8: 0000:0001::/64 delegating router requesting router 2001:DB8::/48

◮ extension enables the DHCPv6 server to assign prefixes ◮ recommendation: ISPs should assign a /48 subnet to each

customer, /64 in mobile networks (RFC 3177)

◮ requesting router at the customer acts as DHCP client and

requests to be assigned prefix(es)

◮ delegating router at the ISP acts as a DHCP server and

assigns prefix(es) to the requesting router

34 / 34