4/11/2011

Hybrid Architecture
Source: Chapter 19 E.Comer
• Permits some traffic to go over private connections
• Allows contact with global Internet

Lecture 9
Private Network Interconnection (NAT,VPN)

2 Lecture 9

Example of Hybrid Architecture The Cost Of Private And Public Networks

• Private network extremely expensive
• Public Internet access inexpensive

• Goal: combine safety of private network with low cost of

global Internet.

3 Lecture 9 4 Lecture 9

1
 4/11/2011

Question Virtual Private Network

How can an organization that uses the global Internet to • Connect all sites to global Internet
connect its sites keep its data private? • Protect data as it passes from one site to another

– Encryption
– IP-in-IP tunneling

Answer: Virtual Private Network (VPN)

5 Lecture 9 6 Lecture 9

Illustration Of Encapsulation
Example Of VPN Addressing And Routing
Used With VPN

The Point!!
A Virtual
Vi t l Private
P i t Network
N t k sends
d data
d t across the
th Internet,
I t t
but encrypts intersite transmissions to guarantee privacy.

7 Lecture 9 8 Lecture 9

2
 4/11/2011

Example Of VPN Addressing And Routing Example VPN With Private Addresses
• Consider a datagram sent from a computer on network
128.10.2.0 to a computer on network 128.210.0.0.
• The sending host for-wards the datagram to R2, which forwards it
to R1.
R1
• According to the routing table in R1 the datagram must be sent
across the tunnel to R3. Therefore, R1 encrypts the datagram,
encapsulates it in the data area of an outer datagram with
destination R3· R1 then for-wards the outer datagram through the
local ISP and across the Internet.
• The datagram arrives at R3, which recognizes it as tunneled from
R1. R3 decrypts the data area to pro-duce the original datagram,
looks up the destination in its routing table, and forwards the Advantage:
datagram to R4 for delivery. Only one globally valid IP address needed per site

9 Lecture 9 10 Lecture 9

Example VPN With Private Addresses General Access With Private Addresses
• site 1 uses subnet 10.1.0.0/16, while site 2 uses subnet
10.2.0.0/16. Only two globally valid IP addresses are needed. Question: how can a site provide multiple computers at
• One is assigned to the connection from router R, to the Internet, the site access to Internet services without assigning
and the other is assigned to the connection from R2 to the each computer a globally-valid IP address?
I t
Internet.
t Routing
R ti g tables
t bl att th
the sites
it specifyif routes
t for
f private
i t
addresses; • Two answers

• only the VPN tunneling software needs to know about or use the – Application gateway (one needed for each service)
globally valid IP ad-dresses. – Network Address Translation (NAT)
• VPNs use the same addressing structure as a private network.
Hosts in a completely isolated VPN can use arbitrary addresses,
but a hybrid architecture with valid IP ad-dresses must be
employed to provide hosts with access to the global Internet.

11 Lecture 9 12 Lecture 9

3
 4/11/2011

Network Address Translation (NAT) Network Address Translation (NAT)

(continued)
• Extension to IP addressing • Pioneered in Unix program
• IP-level access to the Internet through a single IP address • Also known as
• Transparent to both ends – Masquerade
M d (Li
(Linux))
• Implementation – Internet Connection Sharing (Microsoft)
– Typically software • Inexpensive implementations available for home use
– Usually installed in IP router
– Special-purpose hardware for highest speed

13 Lecture 9 14 Lecture 9

NAT Details NAT Translation Table

• Organization
• NAT uses translation table
– Obtains one globally valid address per Internet
• Entry in table specifies local (private) endpoint and
connection
global destination.
destination
– Assigns nonroutable addresses internally (net 10)
• Typical paradigm
– Runs NAT software in router connecting to Internet
• NAT – Entry in table created as side-effect of datagram
– Replaces source address in outgoing datagram leaving site
– Replaces destination address in incoming datagram – Entry in table used to reverse address mapping for
– Also handles higher layer protocols (e.g., pseudo incoming datagram
header for TCP or UDP)

15 Lecture 9 16 Lecture 9

4
 4/11/2011

Example NAT Translation Table Use Of NAT By An ISP

The use of NAT by a small ISP that serves dialup

• Variant of NAT that uses protocol port numbers is known as customers. NAT translation allows the ISP to assign
Network Address and Port Translation (NAPT) a private address to each dialup customer.

17 Lecture 9 18 Lecture 9

Higher Layer Protocols And NAT Applications And NAT

• NAT must NAT affects ICMP, TCP, UDP, and other higher-layer
– Change IP headers protocols; except for a few standard applications
– Possibly change TCP or UDP source ports like FTP,
FTP an application protocol that passes IP
addresses or protocol port numbers as data will
– Recompute TCP or UDP checksums not operate correctly across NAT.
– Translate ICMP messages
– Translate port numbers in an FTP session

19 Lecture 9 20 Lecture 9

5
 4/11/2011

Summary
• VirtualPrivate Networks (VPNs) combine the
advantages of low cost Internet connections with
the safety of private networks
• VPNs use encryption and tunneling

• Network Address Translation allows a site to

multiplex communication with multiple computers
through a single, globally valid IP address.
• NAT uses a table
bl to translate
l addresses
dd in
i
outgoing and incoming datagram's

21 Lecture 9