Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs
Upcoming SlideShare
Loading in...5
×
 

Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs

on

  • 1,711 views

 

Statistics

Views

Total Views
1,711
Views on SlideShare
1,711
Embed Views
0

Actions

Likes
0
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs Document Transcript

  • Lecture Objectives Wireless Networks and Mobile Systems ● Describe the role of nomadic services in mobile networking ● Describe the objectives and operation of IP virtual private networks (VPNs) Lecture 6 ● Describe the objectives and operation of the Dynamic Host Configuration Protocol (DHCP) Mobile Networks: Nomadic ● Describe the objectives and operation of network Services, DHCP, NAT, and VPNs address translation (NAT) ● Describe firewall and packet filter functions, especially as related to NAT ● Provide some high-level background in web services, especially for a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 2 Agenda Nomadic Services ● Nomadic services ● Nomadic services support hosts that attach to ● Virtual private networks (VPNs) different networks, but where host reconfiguration is acceptable ● Dynamic Host Configuration Protocol (DHCP) ■ Compare to mobile services where hosts can move to a ● Network address translation (NAT) different network without reconfiguring ● Firewalls and packet filtering ● Functions ● HTML and web programming ■ Changing the host’s IP address to that of the current network to which it is attached ⇒ DHCP ● Brief comments on a wireless “hot spot” service ■ Limited number of public Internet addresses available in the current network (or any network) ⇒ NAT ■ Lack of trust of the current network (or any network) ⇒ VPN ● A wireless “hot spot” usually combines DHCP, NAT, and firewall functions Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 3 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 4 Nomadic Services Functions Agenda ● Nomadic services Private Network Public Network Private Network ● Virtual private networks (VPNs) Secure Data, Secure Data, ● Dynamic Host Configuration Protocol (DHCP) Public Address Private Address ● Network address translation (NAT) ● Firewalls and packet filtering Address ● HTML and web programming • DHCP via DHCP ● Brief comments on a wireless “hot spot” service Nomadic • NAT Node • VPN endpoint • VPN endpoint Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 5 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 6
  • Virtual Private Networks (1) Virtual Private Networks (2) ● Virtual private networks (VPNs) Private Public General Network Network VPN ■ Enable end-to-end security (authentication and, optionally, Host Client privacy) for a single (mobile) host connecting to a private network over untrusted (public) intermediate networks ■ Enable security for private network-to-network Secure Tunnel communication over untrusted intermediate networks ■ Support quality-of-service and other attributes of a service level agreement over a shared network for network-to- VPN network connectivity Server ● Tunneling protocols ■ Point-to-Point Tunneling Protocol (PPTP) ■ Layer 2 Tuneling Protocol (L2TP) ■ IP Security (IPSec) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 7 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 8 Point-to-Point Tunneling Protocol Layer 2 Tunneling Protocol ● PPTP is an extension of the Point-to-Point Protocol ● Resulted from the IETF’s merger of PPTP and the (PPP) to support tunneling Layer 2 Forwarding Protocol (L2FP) ● Can carry IP and non-IP packets ● Can carry IP and non-IP packets over IP and other networks Layer 2 IP GRE PPP PPP Header Header Header Packet Frames L2TP Data Messages L2TP Control (unreliable) Messages L2TP Data Channel L2TP Control Channel (unreliable) (unreliable) Packet Transport (UDP, FR, ATM, etc.) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 9 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 10 IP Security VPN References ● IPSec has two main components ■ Authentication Header (AH) “ ” ■ Encapsulating Security Payload (ESP) W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter, ● Two modes “Layer Two Tunneling Protocol ‘L2TP’,” RFC 2661, Aug. 1999. ■ Transport mode ■ Tunnel mode “ ” D. Fowler, Virtual Private Networks, Morgan-Kaufmann Tunnel IP AH Inner IP IP Publishers, 1999. Mode Header (or ESP) Header Payload Original IP Datagram Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 11 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 12
  • Agenda DHCP ● Nomadic services ● DHCP provides all necessary configuration ● Virtual private networks (VPNs) information to allow a stationary node to become a viable Internet host ● Dynamic Host Configuration Protocol (DHCP) ● Applications ● Network address translation (NAT) ■ To simplify system administration in traditional networks ● Firewalls and packet filtering ■ To improve utilization of IP address space ● HTML and web programming ■ To allow mobile hosts to obtain collocated ● Brief comments on a wireless “hot spot” service care-of addresses on foreign networks R. Droms, “Dynamic Host Configuration Protocol,” RFC 2131, March 1997. C. E. Perkins, Mobile IP: Design Principles and Practices, Addison-Wesley, Reading, MA, 1998 (Chapter 9). Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 13 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 14 DHCP: Client-Server Model (1) DHCP: Client-Server Model (2) ● DHCP adheres to a client-server model ● Client broadcasts request to network ■ Client requests service ■ Broadcast received by server or relay ■ Server provides response ■ If a relay is used, it forwards request with other information ● Request and reply must be sent without the benefit of to the server the client being an Internet host ● Server responds with configuration information ● Client acknowledges receipt ● Server reserves IP address (for some lease time) and DHCP DHCP DHCP notifies client that address is reserved Server Client 1 Client 2 ● Client must renew the lease request reply Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 15 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 16 DHCP Initialization (1) DHCP Initialization (2) ● Client broadcasts a discover message ● Selected server … (DHCPDISCOVER) ■ Commits configuration ■ Sent via UDP to port 67 ■ Replies with an acknowledge message (DHCPACK) to ■ Received by one or more DHCP servers (or relays) complete initialization ● Responding servers … ■ Determine configuration ■ Send an offer message (DHCPOFFER) to the client ● Client selects a configuration that it wants ■ Sends a request message (DHCPREQUEST) to the selected server ■ Sends the same request message to servers not selected so they can release reserved IP address Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 17 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 18
  • DHCP Initialization (3) Lease and Renewals (1) ● Server grants use of the IP address for a limited time, Server 1 Server 2 Client the lease time (selected) (not selected) ● Client should renew the lease about after about two- DHCPDISCOVER DHCPDISCOVER thirds of the lease time has expired ● Lease renewal … DHCPOFFER DHCPOFFER ■ Client sends DHCPREQUEST message to the original selected server via unicast DHCPREQUEST DHCPREQUEST ■ Server responds with DHCPACK message ■ If no response from the server, client must start again with DHCP initialization DHCPACK Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 19 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 20 Lease and Renewals (2) Graceful Shutdown ● Client can perform a graceful shutdown by sending a Server Client DHCP release message (DHCPRELEASE) to the server ■ Allows server to release reserved IP address DHCPREQUEST ● Often, clients just shutdown and IP address is released after the lease time expires DHCPACK Server Client DHCPRELEASE Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 21 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 22 DHCP Options Agenda ● DHCP servers can provide optional information ● Nomadic services beyond the assigned IP address ● Virtual private networks (VPNs) ■ Default router ● Dynamic Host Configuration Protocol (DHCP) ■ Subnet mask ■ Network Time Protocol (NTP) servers ● Network address translation (NAT) ■ Service Location Protocol (SLP) servers ● Firewalls and packet filtering ■ Domain Name System (DNS) servers ● HTML and web programming ■ Local domain name ● Brief comments on a wireless “hot spot” service ■ Host name ● Request in discover or request message ● Response in offer or acknowledge message ■ Type, Length, Value (TLV) option Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 23 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 24
  • Network Address Translation What is Masquerading? ● NAT “mangles” a packet’s addressing headers as it ● One-to-many translation passes through a router to change either the source ● The process of routing Internet-bound traffic from a or destination address private network through a gateway router that ● Most common form of NAT: Network and port modifies the traffic to look like its own address translation ● On the return, the router, demultiplexes the traffic ■ A.k.a. IP Masquerading – Linux back to the appropriate hosts by source/destination ■ A.k.a. Port Address Translation (PAT) – Cisco port/address pairs (remembered from transmission) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 25 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 26 Example Configuration Packet Trace Internal Network – 192.168.1.xxx ● Packet sent to HTTP server at google.com .2 External Network Interface Src IP Dest IP Src Prt Dest Prt Host1 eth0 – 192.168.1.254 Host1:eth0 192.168.1.2 216.239.39.101 4356 80 .3 Router:eth0 192.168.1.2 216.239.39.101 4356 80 Host2 Router NAT Router:eth1 12.34.56.78 216.239.39.101 65013* 80 eth1 – 12.34.56.78 .4 … routing Host3 Google.com 12.34.56.78 216.239.39.101 65013* 80 ● Trace a packet from Host1 to google.com *Note: Masquerading changes the source port as well as source address for ■ IP address: 216.239.39.101 assured demultiplexing. Value depends on implementation. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 27 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 28 Packet Trace (2) Implementation of Masquerading ● Returning packet ● Linux – built into kernel firewall ■ Resident for years Interface Src IP Dest IP Src Prt Dest Prt ■ ipfwadm, ipchains, iptables Google.com 216.239.39.101 12.34.56.78 80 65013 ● Windows – Internet Connection Sharing …routing ■ Partially with Microsoft Windows 98SE and Windows ME (only share certain interfaces) Router:eth1 216.239.39.101 12.34.56.78 80 65013 ■ Full implementation in Microsoft Windows 2000 and NAT Windows XP (share any interface) Router:eth0 216.239.39.101 192.168.1.2 80 4356 Host1:eth0 216.239.39.101 192.168.1.2 80 4356 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 29 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 30
  • Agenda Firewalls ● Nomadic services ● Routers with “attitude” ● Virtual private networks (VPNs) ● Process packets based on rules ● Dynamic Host Configuration Protocol (DHCP) ● Rules based on any packet characteristics or ● Network address translation (NAT) attributes ■ Source and destination addresses and ports (e.g., source ● Firewalls and packet filtering port 1234 from host 10.0.3.23) ● HTML and web programming ■ Protocol flags (e.g., TCP SYN, TCP ACK) ● Brief comments on a wireless “hot spot” service ■ Protocol types (e.g., ICMP, UDP) ■ Connection status (e.g., new or established) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 31 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 32 Firewall Services Types of Firewalls (1) Application-specific proxy, ● Two types Application Application-specific filter ■ Stateful Presentation ■ Stateless ● Stateless Gateway, User Filter Session ■ Simple, less secure than stateful Port map, Port filter, ■ Makes decisions based on individual packet information Transport ■ Does not maintain any connection status Address map, Address filter ■ Example: Address map, Address filter, Network ○ Allow all traffic inbound with destination port 80 Protocol filter ○ Deny all traffic from 192.168.1.0/24 on the external Address filter, Protocol filter Data Link interface Physical Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 33 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 34 Types of Firewalls (2) Firewall Implementations ● Stateful ● Implementations ■ All the attributes of a stateless firewall plus … ■ Hardware and software ■ Connection status (context for decisions) ● Hardware (network devices) ○ Watches traffic for SYN, ACK, and FIN packets ■ Cisco PIX, Sonicwall, Watchguard Firebox ○ Knows connection status (established, initiating) ● Software (applications) ■ More complex, better security ■ Windows – ZoneAlarm, Norton Personal Firewall, BlackICE ■ Example: ■ Unix and variants – ipfw, ipchains, iptables, ipf ○ Deny all ICMP Echo Reply packets not associated with an Echo Request ○ Deny all TCP sessions not initiated from the inside network Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 35 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 36
  • iptables (1) iptables (2) ● Linux firewall (and more) ● Three parts ● Present with the 2.4 series kernel ■ Rules ■ Chains ● Part of the netfilter project ■ Tables ■ http://www.netfilter.org/ ● Consists of two parts ■ Firewall code in the kernel ■ User space “iptables” executable to manipulate kernel code Oskar Andreasson, Iptables Tutorial 1.1.19, http://iptables-tutorial.frozentux.net/. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 37 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 38 iptables (3) iptables (4) ● Rule ● Chains ■ Lowest-level (most basic) entity in firewalling ■ An ordered list of rules ■ A single tuple of what to do (action) and packets to which to ■ Traversed in order apply the action (filter) ■ The first matching rule in the chain is selected ■ Filter – identifies packets to which the rule applies ■ Important predefined chains in FILTER table ○ Addresses, ports, status ○ INPUT – all incoming packets go here ■ Action – what to do with the packet (stream) ○ FORWARD – packets to be routed ○ Accept, reject (drop, but reply with ICMP error message), ○ OUTPUT – all outgoing packets go here drop, redirect, masquerade, go to another chain, and more Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 39 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 40 Example: Setting DSCP iptables (5) iptables (6) Example: Redirecting ● Tables ● Incoming Mangle Nat packet Network ■ Separate different types of operations PREROUTING PREROUTING ■ Three built-in tables traversal ○ FILTER – general filtering Routing ○ NAT – dealing with network address translation Decision Example: Local Non-Local ○ MANGLE – other packet changes Typical Firewall ■ Each contain multiple chains Functions Mangle Mangle INPUT Example: FORWARD Typical Firewall Filter Functions Filter INPUT FORWARD Application *to output* Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 41 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 42
  • iptables (7) iptables (8) ● Outgoing ● Rule placement Application packet ■ Rule type specifies table traversal ○ Address translation and IP masquerading map to the NAT Routing Example: table Decision IP Masquerading ○ Simple packet filtering maps to the filter table ■ Rule stage specifies chain Mangle Network ○ Prerouting versus postrouting OUTPUT ○ Traffic from local application versus forwarded traffic Nat *from non-local Nat OUTPUT input* POSTROUTING Example: Typical Firewall Filter Mangle Functions OUTPUT POSTROUTING Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 43 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 44 Firewall Comments Agenda ● “Good” firewall rules are difficult to write ● Nomadic services ■ Must consider all possible traffic ● Virtual private networks (VPNs) ■ Only allow what should pass ● Dynamic Host Configuration Protocol (DHCP) ● Stateful firewalls are more secure (and more ● Network address translation (NAT) complex) than stateless firewalls ● Firewalls and packet filtering ● Stepping forward ■ Intrusion Detection System (IDS) – “smarter” stateful firewall ● HTML and web programming ● Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 45 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 46 Web-Based Authentication HTML ● Consider a wireless LAN “hot spot” service ● HyperText Markup Language (HTML) ● This will require consideration and use of… ■ Web page “language” (content) ■ DHCP ■ Currently in version 4.01 ■ Firewalling ■ Maintained by the World Wide Web Consortium (W3C) ■ Authentication ○ http://www.w3c.org ■ IP masquerading (NAT) ■ Uses “tags”: <begin_tag>text</end_tag> ■ Formatting language ● Authentication is commonly done using a web-based ○ Take data and add formatting, pictures, input, and/or scheme here is one approach… links ■ The first attempt to access any web page is redirected to an authentication page for the service ■ A script or program must perform authentication and updates the configuration to allow access, if appropriate Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 47 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 48
  • HTML (2) Web Programming ● Many extensions and add-ons ● Common Gateway Interface (CGI) ■ Responsible for rich web content ■ A way for web servers to interact with standard programs to ● Tags interpreted by web browser; no server generate dynamic web content ■ Input typically HTML form data processing involved ■ Output dynamic content (web pages) ● May be edited by hand or with a WYSWYG editor ■ Can be written using C++, Perl, Fortran, or PHP ■ By hand: notepad, emacs, vi ■ Can do many functions with the appropriate library ■ WYSWYG: MS Frontpage, Dreamweaver (1) URL, param (2) CGI (3) Process Web HTTP Gateway Browser Server Program (5) HTML, text, … (4) HTML, text, … Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 49 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 50 Web Programming (2) No Experience? ● Model ● PHP suggested for those with no experience with ■ Client request web programming ■ Server reference ● PHP code is embedded in HTML code ■ Server processing (CGI, SSI, PHP) ■ No compilation ■ Request sent to client ■ Quick editing ■ Browser processing (JavaScript, HTML, CSS) ● Familiar syntax ■ Borrows syntax “look and feel” from Java, Perl, and C++ Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 51 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 52 Agenda A Test Network Configuration ● Nomadic services ● Virtual private networks (VPNs) “Public” Internet ● Dynamic Host Configuration Protocol (DHCP) ● Network address translation (NAT) ● Firewalls and packet filtering ● HTML and web programming Public Private Private Network ● Brief comments on a wireless “hot spot” service ● DHCP server ● Firewall ● IP masquerading ● Web-based authentication Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 53 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 54
  • Summary ● Nomadic services enable Internet access ■ Security, addressing, filtering ● VPNs provide authentication and privacy for nomadic users and protect private networks ● DHCP allows nomadic users to obtain an IP address and other configuration information ● NAT conserves addresses in private networks, allowing support for nomadic hosts ● Firewalls and packet filtering provide security and enable access control ● HTML and web programming can be used to authenticate nomadic users for a hot spot service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 55