CS 422: Lecture Notes (12/07/04 - 12/09/04)

- By Gaurav Ganesh

Date: 12/07/04

Network Address Translation (NAT)

• It is used in firewalls to protect a local network from outside attacks.
• It is used by some home devices that allow using a single IP address by multiple computers in the home network. These devices are called NAT boxes, although some manufacturers wrongly call them internet routers.

• The NAT box allows multiple computers to connect to the Internet and share the same IP address.
• As a side effect, a NAT box also serves as a firewall since it will only accept packets from connections that started from a computer in the home network.
• NAT boxes also provide DHCP to dynamically assign IP addresses to the computers in the home network. For example, 192.168.1.101, 102, 103, ..., will be assigned by the NAT box.
• The NAT box will also be the default router and DNS server for the home computers.
• When a home computer boots and makes a DHCP request, the NAT box will answer with a new IP address, and the NAT box address for the default router and DNS server.

• How NAT works:

1. L₁ tries to connect to I₁ which is a web server. L₁ sends a SYN packet to start a connection. The connection params will be <L₁, Q₁, I₁, P₁>.
2. The NAT box receives the packet and substitutes the IP source (L₁) by its own IP address (N₁). It also generates a new port number (Q₁') and substitutes Q₁ by Q₁'. Then it sends the packet to I₁. The new params in the packet will be <N₁, Q₁', I₁, P₁>.
3. The NAT box will also record in a table, a new mapping that relates Q₁' to <L₁, Q₁>. This mapping will be used when a reply comes back from I₁, to replace the destination and destination port back to <L₁, Q₁>.

4. When a reply is sent from I₁, it will go to the NAT box and the params in the packet will be <I₁, P₁, N₁, Q₁'>.
5. The NAT box receives the packet and looks up Q₁' in the NAT table. It finds the pair <L₁, Q₁> that corresponds to Q₁'. The NAT box substitutes the destination N₁ by L₁ and destination port Q₁' by Q₁. The new params of the packet are now <I₁, P₁, L₁, Q₁>.
6. L₁ receives the packet transparently i.e. L₁ never knows that the NAT box performed a translation.
7. The NAT box will now use the translation Q₁' ↔ <L₁, Q₁> for all packets of the same connection.
8. The mapping Q₁' ↔ <L₁, Q₁> will be removed a few minutes after the connection is closed.
9. When a packet comes from the Internet to the NAT box, and no mapping exists for that destination port, the packet will be dropped.

10. Let's assume that a hacker in H₂ tries to connect to port Q₂ in N₁. N₁ will not have a mapping Q₂' in the NAT table so it silently drops the packet. H₂ will not get any feedback. This is how firewalls work.
11. The drawback is that no application that starts a connection from the outside will get through. For ex. you will not be able to telnet/ssh to a computer in your home network or run a web server, internet phone, remote desktop, VNC, having the client in the Internet.
12. To get around this problem you can add a static mapping in the NAT table so the NAT box will translate incoming packets to a machine and port in the home network. For ex. add a static mapping 80→<I₅, 8080>. This will tell the NAT box to translate packets directed to NAT box port 80 to be sent to computer I₅, port 8080, in your home network.

Date: 12/09/04

Virtual Private Networks (VPN)

• They allow a computer to connect to a remote network using a secure channel.
• The computer will be virtually attached to the remote network.
• The Internet is used as a channel.

• You setup a VPN by connecting to the remote network's VPN router using a login and password.
• Once the VPN connection is active, it will appear to computer C as another interface with a second IP address that will have a network part corresponding to the remote network.

• Any packet that is directed from C to a host in the remote network will be passed on to the VPN interface.

1. C wants to send a packet IP_A to N₁ in the remote network. C uses the VPN interface to send the packet IP_A.
2. The drivers for the VPN interface encrypt IP_A and put it on top of another packet IP_B. The destination of IP_B is the VPN router R.

3. When R receives the packet, it decrypts IP_A and sends it to its original destination N₁.
4. Everything will be transparent to both C and N₁.
5. If N₁ sends a reply back to C, it will also be encapsulated in the same way.

    VPN is now widely used to:

• connect employees at home to the company network.
• connect students to the campus network.

Using SSH to provide a Secure Channel

• SSH provides a secure channel by performing "secure port forwarding". This feature is an option on SSH.
• It is used to make unsafe applications that send plaintext to be safe using the Internet. Examples of such applications are: most XLL applications and VNC.

Review for the Final

Routing

• Routers and how they work
• Next hop forwarding - Destination address
• Routing table
• Shortest path routing (router knows the entire network) vs. Distance vector routing (router only knows its neighboring routers)

Protocols and Layering

• ISO 7 layer model
• Layering used in TCP/IP

Internet Protocol (IP)

• IP addresses (prefix: network no., suffix: host no.)
• Classes of IP addresses (A, B, C, D, E)
• CIDR (Classless IP addresses): Network / No. of bits in the prefix
• Special IP addresses: all 0s, all 1s, loop back etc.
• IP packet format and the different fields: TTL, IP flags etc.
• IP routing and default routers
• IP semantics (requirements): IP is connectionless i.e. no state is left in router; Packets may be delayed, duplicated, out-of-order, or lost; Best effort delivery protocol

Address Resolution Protocol (ARP)

• Translates IP addresses (4 bytes) to Ethernet hardware addresses (6 bytes)
• Size of IP header: 20 bytes, minimum TCP header: 20 bytes
• ARP request/reply protocol: broadcast, unicast; ARP cache: mappings expire after 20 mins.

IP Fragmentation & Reassembly

• Why fragmentation is necessary
• Maximum transferred unit (MTU)
• How fragmentation (performed by the router) and reassembly (performed by the destination) work: Packets < MTU may follow different routes.
• IP packet fields used for reassembly: (src ip, id, offset, more fragments bit)
• Time to live (TTL) = 255 secs. or hops

ICMP

• ICMP message types: source quench, time exceeded, destination reachable, echo/reply
• Traceroute/Path MTU discovery

Transport Protocols

• TCP
• UDP

TCP

• Characteristics: Reliable, Full-duplex etc.
• How is reliability achieved: Acknowledgements, Retransmission
• TCP features: Adaptive retransmission (based on roundtrip time), Flow control (transmission window), Cumulative acknowledgements, Congestion control (slow start), Reliable connection startup and shutdown
• TCP header and fields

NAT & VPN

• How they work

Final Distribution

    70% Notes

    30% Projects