Unit 9

Private Virtual Interconnection

1
 Topics to be covered
• Private networks
– Intranet
– Extranet
– Addressing
• VPN
– VPN-addressing and routing
• NAT
– table creation
– Multi-address NAT
– Port-address NAT
2
 Private networks
• A private network is designed to be used only inside
organization.
• It allow access to shared resources and, at the same time
provide privacy.
• Intranet:
– An Intranet is a private network (LAN) that uses the TCP/IP
protocol suit.
– Access to the network is limited to only the user inside the
organization.
– The network uses application program defined for the global
Internet, such as HTTP , and may have Web server, Print server,
file server and so on

3
• Extranet :
– An extranet is the same as an intranet with one major
difference.
– Some resources may be accessed by specific group of
user outside the organization under the control of the
network administrator.
– For Example: An organization may allow authorized
customers access to product specification availability,
and on-line ordering.
– A university or a college can allow distance learning
students access to the computer lab after password
have been checked.

4
• Addressing : A private network that uses the TCP/IP protocol
suit must use IP Addresses.
• Three Choices are available:
– The network can apply for a set of addresses from
the Internet authorities and use them without being
connected to the internet. This strategy has an
advantage if in the future the organization desires
Internet connection, it can do so with relative ease.
However, there is also a disadvantage: The address
space is wasted.

– The network can use any set of addresses without

registering with the internet authorities. Because the
network is isolated, the addresses do not have to be
unique. However, this strategy has a serious
drawback : Users might mistakenly confuse the
addresses as a part of the global Internet.

– To overcome the problem associated with the first

and second strategies, the internet authorities have
reserved three set of addresses

5
 Addresses for private networks

Range Total
10.0.0.0 to 10.255.255.255 224
172.16.0.0 to 172.31.255.255 220
192.168.0.0 to 192.168.255.255 216

• Any organization can use an address out of this set

without permission from the Internet authorities.
Everybody knows that these reserved addresses are for
private networks. They are unique inside the
organization, but they are not unique globally. No router
will forward a packet that has one of these addresses as
destination address.

6
• Achieving Privacy:
• To achieve privacy, organizations can use one of three
strategies:
1. Private networks
2. Hybrid network
3. Virtual private network

7
 Private networks
• An organization that needs privacy when routing
information inside in the organization can use a private
network.
• A small organization with one single site can use an
isolated LAN.
• People inside the organization can send data to one
another that totally remain inside the organization
,secure from the outsiders.
• A large organization with several sites can create a
private internet.
• The LANs at different sites can be connected to each
other using routers and leased lines.
• An internet can be made out of private LANs and private
WANs.
8
• In fig. the LANs are connected to each other using routers and one
leased line.
• The organization has created a private internet that is totally isolated
from the global internet.
• For end-to-end communication between stations at different sites,
the organization can use the TCP/IP protocol suit
• However ,there is no need for the organization to apply for IP
address with the internet authorities.
• It can use private IP addresses.
• The organization can use any IP class and assign network and host
addresses internally. Because the internet is private, duplication of
addresses by another organization in the global internet is not a
problem.

9
 Hybrid networks
• Today, most organizations need to have privacy in intra-
organization data exchange, but at the same time, they need
to be connected to the global internet for data exchange with
other organization. One solution is the use of a hybrid
network.

• A hybrid network allows an organization to have its own

private internet and at the same time access to the global
internet.

• Intra-organization data is routed through the private internet;

Inter-organization data is routed through the global internet

• In fig. it is shown that organization uses router R3 and R4 to

connect the two sites to the rest of the world.

10
 Hybrid networks
• An organization with two sites uses routers R1 and R2 to connect the two sites privately
through a leased line; it uses routers R3 and R4 to connect the two sites to the rest of the
world.
• The organization uses global IP addresses for both types of communication.
• However, Packets destined for internal recipients are routed only through routers R1 and
R2.Routers R3 and R4 route the packets destined for outsiders.

11
 Virtual private networks
• Both Private and hybrid networks have a major drawback:
Cost. Private wide area networks are expensive.

• To connect several sites, an organization needs several leased line,

which can lead to high monthly cost.

• One solution is to use the global Internet for both private and public
communication.

• A technology called virtual private network (VPN) allows

organizations to use global internet for both purposes.

• VPN is a network that is private but virtual.

• It is private because guarantees privacy inside the organization. It is

virtual because it does not use real private WANs; the network is
physically public but virtually private.

12
 Virtual private networks
• Following figure shows the idea of a virtual private network. Routers
R1 and R2 use VPN technology to guarantee privacy for the
organization.

13
 VPN technology
• VPN technology uses two simultaneous
technique to guarantee privacy for an
organization:
1. IPSec
2. Tunneling

14
 IPsec
• IP Security (IPSec) is a collection of protocols designed by IETF
(Internet Engineering task force) to provide security for a packet at
the IP level.
• IPSec does not define the use of any specific encryption or
authentication method.
• Instead, it provides a framework and a mechanism; it leaves the
selection of the encryption, authentication, and hashing methods to
the entity.

15
 Security association
• IPSec requires a logical connection between two hosts using a
signaling protocol, called Security Association (SA).
• In other words, IPSec needs the connectionless IP protocol changed
to a connection-oriented protocol before security can be applied.
• An SA connection is a simplex (unidirectional) connection between a
source and destination.
• If a duplex (bidirectional) connection is needed, two SA connection is
uniquely defined by three elements :

• A 32-bit security parameters index (SPI), which acts as a virtual

circuit identifier in connection-oriented protocols such as Frame
Relay or ATM
• The type of protocol used for security: AH and ESP
• The source IP address.

16
 Two modes
• IPSec operates at two different modes: transport mode
and tunnel mode. The mode defines where the IPSec
header is added to the IP packet.
 Transport Mode:
– In this mode, the IPSec header is added between the IP header and
the rest of the packet.
 Tunnel Mode:
– In this mode, the IPSec header is placed in front of the original IP
header.
– A new IP header is added in front. The IPSec header, the preserved
IP header, and the rest of the packet are treated as a payload.

17
• Transport mode

• Tunnel mode

18
 Two security protocols
• IPSec defines two protocols: authentication header (AH) protocol
and encapsulating Security Payload (ESP) protocol.

• Authentication Header (AH) protocol the authentication header

(AH) protocol is designed to authenticate the source host and to
ensure the integrity of the payload carried by the IP packets.
• The protocols calculates a message digest, using a hashing function
and a symmetric key, and inserts the digest in the authentication
header.
• The AH is put in the appropriate location based on the mode
(transport or tunnel)

19
• Figure shows the fields and the position of the authentication header
in the transport mode.

20
• When an IP datagram carries an authentication header, the original
value in the protocol field of the IP header is replaced by the value
51, A field inside the authentication header (next header field)
defines the original value of the protocol field (the type of payload
being carried by the IP datagram).
• Addition of an authentication header follows these steps:
• An authentication header is added to the payload with the
authentication data field set to zero
• Padding may be added to make the total length even for a
particular hashing algorithm
• Hashing is based on the total packets. However, only those fields of
the IP header that do not change during the transmission are
included in the calculation of the message digest (authentication
data)
• The authentication data are included in the authentication header.
• The IP header is added after changing the value of the protocol
field to 51.

21
• Next Header:
• the 8-bit next header field defines the type of payload carried by the
IP datagram (TCP,UDP,ICMP,OSPF, and so on). It has the same
function as the protocol field in the IP header before encapsulation.
• In other words, the process copies the values of the protocol field in
the IP datagram to this field. The value of the protocol field in the IP
datagram is changed to 51 to show that the packets carries an
authentication header.
• Payload length:
• the name of this 8-bit payload-length field is misleading. It does not
define the length of the payload; it defines the length of the
authentication header in 4-byte multiples, but it does not include
the first 8 bytes.

22
• Security parameters index:
• The 32-bit security parameters index (SPI) field plays the important
role of a virtual circuit identifier and is constant for all packets sent
during a security Associate Connection.
• Sequence number:
• A 32-bit sequence number provides ordering information for a
sequence of datagram.
• The sequence number prevent playback.
• The sequence number is not repeated even if a packet is
retransmitted. A sequence number does not wrap around after it
reaches 2^32 ; a new connection must be established.
• Authentication data:
• Finally, the authentication data field is the result of applying a hash
function to the entire IP datagram except for the fields that are
changed during the transit.

23
• Encapsulating Security Payload:
• The AH protocol does not provide privacy, only message
authentication and integrity.
• IPSec later defined an alternative protocol that provides
message authentication, integrity, and privacy called
Encapsulating Security payload (ESP).
• ESP adds a header and trailer.
• Note that ESP’s authentication data are added at the end of
packets which makes its calculation easier.
• When an IP datagram carries an ESP header and trailer, the
value of the protocol field in the IP header changes to 50.
• A field inside the ESP trailer (the next-header field) holds the
original value of the protocol field (the type of payload being
carried by the IP datagram, such as TCP or UDP).

24
25
• The ESP procedure follows these steps:

• An ESP trailer is added to the payload

• The payload and the trailer are encrypted.

• The ESP header is added.

• The ESP header, payload and ESP trailer are used to create the
authentication data.

• The authentication data are added at the end of the ESP trailer.

• The IP header is added after changing the protocol value to 50.

26
• The fields for the trailer are as follows:

• Security parameter index: The 32-bit security parameter index field

is similar to that defined for the AH protocol.

• Sequence index: The 32-bit sequence number field is similar to that

defined for the AH protocol.

• Padding: This variable length field (0 to 255 bytes) of 0s as padding.

• Pad length: The 8-bit pad length field defines the number of
padding bytes.
• The value between 0 and 255; the maximum value is rare.

27
• Next header: The 8-bit next header field is similar to that defined in
the AH protocol. It serves the same purpose as the protocol field in
the IP header before encapsulation.

• Authentication data: Finally, the authentication data field is the

result of applying an authentication scheme to part of the datagram.
Note the difference between the authentication data in AH and ESP.
In AH, part of the IP header is include In the calculation of the
authentication data; in ESP, it is not

• IPv4 and IPv6: IPSec support both IPv4 and IPv6. In IPv6, however,
AH and ESP are part of the extension header

28
 Tunneling
• To guarantee privacy for an organization, VPN specifies that each IP
datagram destined for private use in the organization must be
encapsulated in another datagram

29
 Tunneling
• This is called Tunneling because the original datagram is hidden
inside the outer datagram after exiting R1 in figure and is visible until
it reaches R2. It appears that the original datagram has gone through
a tunnel spanning R1 and R2.

30
 Tunneling
• The entire IP datagram (including the header) it first encrypted and then
encapsulated in another datagram with a new header.

• The inner datagram here carries the actual source and destination
address of the packet (two station inside the organization)

• The outer datagram header carries the source and destination of the two
routers at the boundary of the private public networks.

• The public network (Internet) is responsible for the carrying the packets
from R1 to R2.

• Outsider cannot decipher the content of the packets or the source and
destination addresses

• Deciphering take place at R2, which finds the destination address of the
packets and deliver it.

31
 Network address translation (NAT)
• A technology that is related to private networks and
virtual private networks is Network address translation
(NAT)

• The technology allows a site to use a set of private

addresses for internal communication
and a set of global internet addresses (at least one) for
communication with another site.

• The site must have only one single connection to the

global Internet through a router that runs NAT software.

32
 Implementation of NAT
• As the figure shows the private networks uses private addresses.
• The router that connects the network to the global address uses one
private address and one global address
• The private network is transparent to the rest of the internet; the
rest of the Internet sees only the NAT router with the address
200.24.5.8

33
 Translation table
• Translating the source address for an outgoing packets is
straightforward.
• But how does the NAT router know the destination
address of the packet coming from the internet.
• There may be tens or hundred of private addresses, each
belongs to one specific host.
• The problem is solved if the NAT router has a translation
table.

34
 Address translation
• All of the outgoing packets go through the NAT routers, which
replace the source address in the packets with the global NAT
address.
• All incoming packets also pass through the NAT router, which replace
the destination address in the packets (the NAT router global
address) with the appropriate private address.

35
 Using one IP address
 In its simplest form, a translation table has only two
columns : the private address and the external address
(destination address of the packets).

 When the router translate the source address of the

outgoing packets, it also makes note of the destination
address- where the packets is going.

 When the response comes back from the destination, the

router uses the source address of the packets (as the
external address) to find the private address of the
packets

36
Translation

37
 Using one IP address
• In this strategy, communication must always be initiated by the
private network
• The NAT mechanism described requires that private network start
the communication.
• NAT is used mostly by ISPs which assign one single address to a
many private addresses.
• In this case communication with the internet is always initiated
from the customer site, using a client program such as
HTTP,TELNET or FTP to access the corresponding server program.
• For Example:
• When email that originates from a noncustomer site is received
by the ISP email server it is stored in the mailbox of the customer
until retrieved with a protocol such as POP.
• A private network cannot run a server program for client outside
of its network if it is using NAT technology.

38
 Using a pool of IP addresses
• Using only one global address by the NAT router allows
only one private network host to access the same
External host.

• To remove this restriction, the NAT router can use a pool

of global addresses.

• For Example: instead of using only one global address

(200.24.5.8), the NAT router can use four addresses
(200.24.5.8, 200.24.5.9, 200.24.5.10, and 200.24.5.11). In
this case four private

39
• Networks hosts can communicate with the same external
host at the same time because each
pair of addresses defines a connection. However, there
are still some drawbacks.

• No more than four connection can be made to the same

destination. No private –network host can access two
external server program (e.g. HTTP and TELNET) at the
same time,

• And likewise, two private-network hosts cannot access

the sane external server program (e.g. ,HTTP or TELNET )
at the same time.

40
 Using both IP addresses and port addresses

• To allow a many-to-many relationship between private-

networks hosts and external server program, we need
more information in the translation table.

• For example: suppose two hosts inside as private

network with address 172.18.3.1 and 172.18.3.2 need to
access the HTTP server on external host 25.8.3.2.

• If the translation table has five column instead of two,

that include the source and destination port address and
the transport layer protocol the ambiguity is eliminated.

41
 Using both IP addresses and port addresses

Private Private port External External Transport

address Address port protocol
172.18.3.1 1400 25.8.3.2 80 TCP
172.18.3.2 1401 25.8.3.2 80 TCP
…… …… …… …… ……

• When the response from HTTP comes back, the combination of source
address
(25.8.3.2) and destination port address (1400) defines the private network
host to which response should be directed.
• For this translation to work the ephemeral port addresses (1400 and 1401)
must be unique.

42
 NAT and ISP
• An ISP that serves dial-up customers can use NAT
technology to conserve addresses.

• For example, imagine an ISP is granted 100 addresses,

but has 100,000 customers.

• Each Of the customers is assigned a private network

address. The ISP translates each of the 100,000 source
addresses in outgoing packets to one of the 1000 global
addresses;

• It translate the global destination address in the incoming

packets to the corresponding private address.

43
An ISP and NAT

44