Professional Documents
Culture Documents
Unit 9: Private Virtual Interconnection
Unit 9: Private Virtual Interconnection
1
Topics to be covered
• Private networks
– Intranet
– Extranet
– Addressing
• VPN
– VPN-addressing and routing
• NAT
– table creation
– Multi-address NAT
– Port-address NAT
2
Private networks
• A private network is designed to be used only inside
organization.
• It allow access to shared resources and, at the same time
provide privacy.
• Intranet:
– An Intranet is a private network (LAN) that uses the TCP/IP
protocol suit.
– Access to the network is limited to only the user inside the
organization.
– The network uses application program defined for the global
Internet, such as HTTP , and may have Web server, Print server,
file server and so on
3
• Extranet :
– An extranet is the same as an intranet with one major
difference.
– Some resources may be accessed by specific group of
user outside the organization under the control of the
network administrator.
– For Example: An organization may allow authorized
customers access to product specification availability,
and on-line ordering.
– A university or a college can allow distance learning
students access to the computer lab after password
have been checked.
4
• Addressing : A private network that uses the TCP/IP protocol
suit must use IP Addresses.
• Three Choices are available:
– The network can apply for a set of addresses from
the Internet authorities and use them without being
connected to the internet. This strategy has an
advantage if in the future the organization desires
Internet connection, it can do so with relative ease.
However, there is also a disadvantage: The address
space is wasted.
5
Addresses for private networks
Range Total
10.0.0.0 to 10.255.255.255 224
172.16.0.0 to 172.31.255.255 220
192.168.0.0 to 192.168.255.255 216
6
• Achieving Privacy:
• To achieve privacy, organizations can use one of three
strategies:
1. Private networks
2. Hybrid network
3. Virtual private network
7
Private networks
• An organization that needs privacy when routing
information inside in the organization can use a private
network.
• A small organization with one single site can use an
isolated LAN.
• People inside the organization can send data to one
another that totally remain inside the organization
,secure from the outsiders.
• A large organization with several sites can create a
private internet.
• The LANs at different sites can be connected to each
other using routers and leased lines.
• An internet can be made out of private LANs and private
WANs.
8
• In fig. the LANs are connected to each other using routers and one
leased line.
• The organization has created a private internet that is totally isolated
from the global internet.
• For end-to-end communication between stations at different sites,
the organization can use the TCP/IP protocol suit
• However ,there is no need for the organization to apply for IP
address with the internet authorities.
• It can use private IP addresses.
• The organization can use any IP class and assign network and host
addresses internally. Because the internet is private, duplication of
addresses by another organization in the global internet is not a
problem.
9
Hybrid networks
• Today, most organizations need to have privacy in intra-
organization data exchange, but at the same time, they need
to be connected to the global internet for data exchange with
other organization. One solution is the use of a hybrid
network.
10
Hybrid networks
• An organization with two sites uses routers R1 and R2 to connect the two sites privately
through a leased line; it uses routers R3 and R4 to connect the two sites to the rest of the
world.
• The organization uses global IP addresses for both types of communication.
• However, Packets destined for internal recipients are routed only through routers R1 and
R2.Routers R3 and R4 route the packets destined for outsiders.
11
Virtual private networks
• Both Private and hybrid networks have a major drawback:
Cost. Private wide area networks are expensive.
• One solution is to use the global Internet for both private and public
communication.
12
Virtual private networks
• Following figure shows the idea of a virtual private network. Routers
R1 and R2 use VPN technology to guarantee privacy for the
organization.
13
VPN technology
• VPN technology uses two simultaneous
technique to guarantee privacy for an
organization:
1. IPSec
2. Tunneling
14
IPsec
• IP Security (IPSec) is a collection of protocols designed by IETF
(Internet Engineering task force) to provide security for a packet at
the IP level.
• IPSec does not define the use of any specific encryption or
authentication method.
• Instead, it provides a framework and a mechanism; it leaves the
selection of the encryption, authentication, and hashing methods to
the entity.
15
Security association
• IPSec requires a logical connection between two hosts using a
signaling protocol, called Security Association (SA).
• In other words, IPSec needs the connectionless IP protocol changed
to a connection-oriented protocol before security can be applied.
• An SA connection is a simplex (unidirectional) connection between a
source and destination.
• If a duplex (bidirectional) connection is needed, two SA connection is
uniquely defined by three elements :
16
Two modes
• IPSec operates at two different modes: transport mode
and tunnel mode. The mode defines where the IPSec
header is added to the IP packet.
Transport Mode:
– In this mode, the IPSec header is added between the IP header and
the rest of the packet.
Tunnel Mode:
– In this mode, the IPSec header is placed in front of the original IP
header.
– A new IP header is added in front. The IPSec header, the preserved
IP header, and the rest of the packet are treated as a payload.
17
• Transport mode
• Tunnel mode
18
Two security protocols
• IPSec defines two protocols: authentication header (AH) protocol
and encapsulating Security Payload (ESP) protocol.
19
• Figure shows the fields and the position of the authentication header
in the transport mode.
20
• When an IP datagram carries an authentication header, the original
value in the protocol field of the IP header is replaced by the value
51, A field inside the authentication header (next header field)
defines the original value of the protocol field (the type of payload
being carried by the IP datagram).
• Addition of an authentication header follows these steps:
• An authentication header is added to the payload with the
authentication data field set to zero
• Padding may be added to make the total length even for a
particular hashing algorithm
• Hashing is based on the total packets. However, only those fields of
the IP header that do not change during the transmission are
included in the calculation of the message digest (authentication
data)
• The authentication data are included in the authentication header.
• The IP header is added after changing the value of the protocol
field to 51.
21
• Next Header:
• the 8-bit next header field defines the type of payload carried by the
IP datagram (TCP,UDP,ICMP,OSPF, and so on). It has the same
function as the protocol field in the IP header before encapsulation.
• In other words, the process copies the values of the protocol field in
the IP datagram to this field. The value of the protocol field in the IP
datagram is changed to 51 to show that the packets carries an
authentication header.
• Payload length:
• the name of this 8-bit payload-length field is misleading. It does not
define the length of the payload; it defines the length of the
authentication header in 4-byte multiples, but it does not include
the first 8 bytes.
22
• Security parameters index:
• The 32-bit security parameters index (SPI) field plays the important
role of a virtual circuit identifier and is constant for all packets sent
during a security Associate Connection.
• Sequence number:
• A 32-bit sequence number provides ordering information for a
sequence of datagram.
• The sequence number prevent playback.
• The sequence number is not repeated even if a packet is
retransmitted. A sequence number does not wrap around after it
reaches 2^32 ; a new connection must be established.
• Authentication data:
• Finally, the authentication data field is the result of applying a hash
function to the entire IP datagram except for the fields that are
changed during the transit.
23
• Encapsulating Security Payload:
• The AH protocol does not provide privacy, only message
authentication and integrity.
• IPSec later defined an alternative protocol that provides
message authentication, integrity, and privacy called
Encapsulating Security payload (ESP).
• ESP adds a header and trailer.
• Note that ESP’s authentication data are added at the end of
packets which makes its calculation easier.
• When an IP datagram carries an ESP header and trailer, the
value of the protocol field in the IP header changes to 50.
• A field inside the ESP trailer (the next-header field) holds the
original value of the protocol field (the type of payload being
carried by the IP datagram, such as TCP or UDP).
24
25
• The ESP procedure follows these steps:
• The ESP header, payload and ESP trailer are used to create the
authentication data.
• The authentication data are added at the end of the ESP trailer.
26
• The fields for the trailer are as follows:
• Pad length: The 8-bit pad length field defines the number of
padding bytes.
• The value between 0 and 255; the maximum value is rare.
27
• Next header: The 8-bit next header field is similar to that defined in
the AH protocol. It serves the same purpose as the protocol field in
the IP header before encapsulation.
• IPv4 and IPv6: IPSec support both IPv4 and IPv6. In IPv6, however,
AH and ESP are part of the extension header
28
Tunneling
• To guarantee privacy for an organization, VPN specifies that each IP
datagram destined for private use in the organization must be
encapsulated in another datagram
29
Tunneling
• This is called Tunneling because the original datagram is hidden
inside the outer datagram after exiting R1 in figure and is visible until
it reaches R2. It appears that the original datagram has gone through
a tunnel spanning R1 and R2.
30
Tunneling
• The entire IP datagram (including the header) it first encrypted and then
encapsulated in another datagram with a new header.
• The inner datagram here carries the actual source and destination
address of the packet (two station inside the organization)
• The outer datagram header carries the source and destination of the two
routers at the boundary of the private public networks.
• The public network (Internet) is responsible for the carrying the packets
from R1 to R2.
• Outsider cannot decipher the content of the packets or the source and
destination addresses
• Deciphering take place at R2, which finds the destination address of the
packets and deliver it.
31
Network address translation (NAT)
• A technology that is related to private networks and
virtual private networks is Network address translation
(NAT)
32
Implementation of NAT
• As the figure shows the private networks uses private addresses.
• The router that connects the network to the global address uses one
private address and one global address
• The private network is transparent to the rest of the internet; the
rest of the Internet sees only the NAT router with the address
200.24.5.8
33
Translation table
• Translating the source address for an outgoing packets is
straightforward.
• But how does the NAT router know the destination
address of the packet coming from the internet.
• There may be tens or hundred of private addresses, each
belongs to one specific host.
• The problem is solved if the NAT router has a translation
table.
34
Address translation
• All of the outgoing packets go through the NAT routers, which
replace the source address in the packets with the global NAT
address.
• All incoming packets also pass through the NAT router, which replace
the destination address in the packets (the NAT router global
address) with the appropriate private address.
35
Using one IP address
In its simplest form, a translation table has only two
columns : the private address and the external address
(destination address of the packets).
36
Translation
37
Using one IP address
• In this strategy, communication must always be initiated by the
private network
• The NAT mechanism described requires that private network start
the communication.
• NAT is used mostly by ISPs which assign one single address to a
many private addresses.
• In this case communication with the internet is always initiated
from the customer site, using a client program such as
HTTP,TELNET or FTP to access the corresponding server program.
• For Example:
• When email that originates from a noncustomer site is received
by the ISP email server it is stored in the mailbox of the customer
until retrieved with a protocol such as POP.
• A private network cannot run a server program for client outside
of its network if it is using NAT technology.
38
Using a pool of IP addresses
• Using only one global address by the NAT router allows
only one private network host to access the same
External host.
39
• Networks hosts can communicate with the same external
host at the same time because each
pair of addresses defines a connection. However, there
are still some drawbacks.
40
Using both IP addresses and port addresses
41
Using both IP addresses and port addresses
• When the response from HTTP comes back, the combination of source
address
(25.8.3.2) and destination port address (1400) defines the private network
host to which response should be directed.
• For this translation to work the ephemeral port addresses (1400 and 1401)
must be unique.
42
NAT and ISP
• An ISP that serves dial-up customers can use NAT
technology to conserve addresses.
43
An ISP and NAT
44