Outline

15-441 Computer Networking • IP Packet Format

Lecture 9 – IP Addressing & Packets • IPv6

• NAT

2

IP Service Model IPv4 Header Fields

• Low-level communication model provided by Internet 3 • Version: IP Version 0 4 8 12 16 19 24 28 1 ver- HLe TOS Length • Datagram sion n Fl • 4 for IPv4 Identifier ag Offset s • Each packet self-contained TTL Protocol Checksum • All information needed to get to destination Source Address • HLen: Header Length Destination Address • No advance setup or connection maintenance Options (if any) • 32-bit words (typically 5) Data • Analogous to letter or telegram • TOS: Type of Service 0 4 8 12 16 19 24 28 31 • Priority information version HLen TOS Length • Length: Packet Length IPv4 Identifier Flag Offset • Bytes (including header) Packet! TTL Protocol Checksum Header! Format! • Header format can change with versions Source Address • First byte identifies version Destination Address • Length field limits packets to 65,535 bytes Options (if any) • In practice, break into much smaller packets for network performance considerations Data

3 4

1 IPv4 Header Fields IPv4 Header Fields

• Identifier, flags, fragment offset à used primarily for fragmentation 0 4 8 12 16 19 24 28 31 ver- HLen! TOS Length sion Identifier Fla Offset • Source Address gs! • Time to live 3 0 4 8 12 16 19 24 28 1 TTL Protocol Checksum ver- HLe • Must be decremented at each router TOS Length sion n Source Address Fl • 32-bit IP address of sender ag Identifier Offset Destination Address • Packets with TTL=0 are thrown away s TTL Protocol Checksum Options (if any) • Ensure packets exit the network Source Address Data • Destination Address • Protocol Destination Address Options (if any) • 32-bit IP address of destination • Demultiplexing to higher layer protocols Data • TCP = 6, ICMP = 1, UDP = 17… • Header checksum • Ensures some degree of header integrity • Like the addresses on an envelope • Relatively weak – 16 bit • Options • Globally unique identification of sender & • E.g. Source routing, record route, etc. receiver • Performance issues • Poorly supported

5 6

IP Fragmentation…jokes... IP Delivery Model …are always…told in parts…

• Best effort service MTU = • Network will do its best to get packet to destination 2000! host! router! router! MTU = 1500! • Does NOT guarantee: host! • Any maximum latency or even ultimate success MTU = 4000! • Sender will be informed if packet doesn’t make it • Every network has own Maximum Transmission Unit • Packets will arrive in same order sent (MTU) • Just one copy of packet will arrive • Largest IP datagram it can carry within its own packet frame • Implications • E.g., Ethernet is 1500 bytes • Scales very well • Don’t know MTUs of all intermediate networks in advance • Higher level protocols must make up for shortcomings • IP Solution • Reliably delivering ordered sequence of bytes à TCP • When hit network with small MTU, fragment packets • Some services not feasible • Latency or bandwidth guarantees

7 8

2 Reassembly Fragmentation Related Fields

• Where to do reassembly? • Length • End nodes or at routers? • Length of IP fragment • End nodes • Identification • Avoids unnecessary work where large packets are • To match up with other fragments fragmented multiple times • Flags • If any fragment missing, delete entire packet • Don’t fragment flag • Dangerous to do at intermediate nodes • More fragments flag • How much buffer space required at routers? • Fragment offset • What if routes in network change? • Where this fragment lies in entire IP datagram • Multiple paths through network • All fragments only required to go through destination • Measured in 8 octet units (13 bit field)

9 10

IP Fragmentation Example #1 IP Fragmentation Example #2

MTU = 2000! router! host! router! router! MTU = 4000! Length = 2000, M=1, Offset = 0! Length = 3820, M=0! IP IP IP IP Header Data Length = 3820, M=0! Header Data

IP IP 1980 bytes! Header Data 3800 bytes! Length = 1840, M=0, Offset = 1980!

IP IP Header Data

1820 bytes!

11 12

3 IP Fragmentation Example #3 IP Reassembly

Length = 1500, M=1, Offset = 0! Length = 1500, M=1, Offset = 0! host! • Fragments might arrive out-of- router! IP IP IP IP MTU = 1500! Header Data Header Data order • Don’t know how much memory Length = 520, M=1, Offset = 1480! Length = 2000, M=1, Offset = 0! 1480 bytes! required until receive final fragment IP IP Length = 520, M=1, Offset = 1480! • Some fragments may be IP IP Header Data Header Data duplicated IP IP Length = 1500, M=1, Offset = 1980! Header Data • Keep only one copy IP IP 1980 bytes! Length = 1500, M=1, Offset = 1980! • Some fragments may never arrive Header Data 500 bytes! IP IP • After a while, give up entire process Length = 1840, M=0, Offset = 1980! Length = 360, M=0, Offset = 3460! Header Data Length = 360, M=0, Offset = 3460!

IP IP IP IP IP IP Header Data Header Data Header Data 1480 bytes! IP IP IP IP Data Data Data Data

1820 bytes! 340 bytes! 13 14

Fragmentation and Reassembly Concepts Fragmentation is Harmful

• Demonstrates many Internet concepts • Uses resources poorly • Decentralized • Forwarding costs per packet • Every network can choose MTU • Best if we can send large chunks of data • Connectionless • Worst case: packet just bigger than MTU • Each (fragment of) packet contains full routing information • Poor end-to-end performance • Fragments can proceed independently and along different routes • Loss of a fragment • Best effort • Fail by dropping packet • Path MTU discovery protocol à determines minimum MTU • Destination can give up on reassembly along route • No need to signal sender that failure occurred • Uses ICMP error messages • Complex endpoints and simple routers • Common theme in system design • Reassembly at endpoints • Assure correctness by implementing complete protocol • Optimize common cases to avoid full complexity

15 16

4 Internet Control Message Protocol (ICMP) IP MTU Discovery with ICMP

• Short messages used to send error & other control MTU = information 2000! host! router! • Examples router! MTU = 1500! host! • Ping request / response MTU = 4000! • Can use to check whether remote host reachable • Typically send series of packets from one host to another • Destination unreachable • Indicates how packet got & why couldn’t go further • Typically, all will follow same route • Flow control • Routes remain stable for minutes at a time • Slow down packet delivery rate • Makes sense to determine path MTU before sending real packets • Redirect • Operation • Suggest alternate routing path for future messages • Send max-sized packet with “do not fragment” flag set • Router solicitation / advertisement • If encounters problem, ICMP message will be returned • Helps newly connected host discover local router • “Destination unreachable: Fragmentation needed” • Timeout • Usually indicates MTU encountered • Packet exceeded maximum hop limit 17 18

IP MTU Discovery with ICMP IP MTU Discovery with ICMP

ICMP ICMP Frag. Needed Frag. Needed MTU = 2000 MTU = MTU = 1500 MTU = 2000! host! 2000! host! router! router! router! MTU = 1500! router! MTU = 1500! host! host! MTU = 4000! MTU = 4000!

’ Length = 4000, Don’t Fragment! Length = 2000, Don t Fragment!

IP IP Packet Packet

19 20

5 IP MTU Discovery with ICMP Outline

MTU = 2000! host! router! router! MTU = 1500! • IP Packet Format host! MTU = 4000! Length = 1500, Don’t Fragment! • IPv6 IP Packet • NAT • When successful, no reply at IP level • “No news is good news” • Higher level protocol might have some form of acknowledgement

21 22

IPv6 IPv6 Addressing

• “Next generation” IP. • Do we need more addresses? Probably, long term • Most urgent issue: increasing • Big panic in 90s: “We’re running out of addresses!” address space. • Big worry: Devices. Small devices. Cell phones, toasters, • 128 bit addresses V/Pr Flow label everything. • Simplified header for faster Length Next Hop L • 128 bit addresses provide space for structure (good!) processing: • Hierarchical addressing is much easier • No checksum (why not?) • Assign an entire 48-bit sized chunk per LAN – use Ethernet • No fragmentation (?) addresses Source IP address • Support for guaranteed • Different chunks for geographical addressing, the IPv4 address services: priority and flow id space, • Perhaps help clean up the routing tables - just use one huge chunk • Options handled as “next per ISP and one huge chunk per customer. header” Sub • reduces overhead of handling Destination IP address 010 Registry Provider Subscriber Host options Net

23 24

6 IPv6 Autoconfiguration IPv6 Cleanup - Router-friendly

• Common case: Switched in silicon (“fast path”) • Serverless (“Stateless”). No manual config at all. • Weird cases: Handed to CPU (“slow path”, or “process • Only configures addressing items, NOT other host things switched”) • If you want that, use DHCP. • Typical division: • Fast path: Almost everything • Link-local address • Slow path: • 1111 1110 10 :: 64 bit interface ID (usually from Ethernet addr) • Fragmentation • (fe80::/64 prefix) • TTL expiration (traceroute) • Uniqueness test (“anyone using this address?”) • IP option handling • Slow path is evil in today’s environment • Router contact (solicit, or wait for announcement) • “Christmas Tree” attack sets weird IP options, bits, and overloads • Contains globally unique prefix router. • Usually: Concatenate this prefix with local ID à globally unique IPv6 ID • Developers can’t (really) use things on the slow path for data flow. • DHCP took some of the wind out of this, but nice for “zero- • If it became popular, they’d be in the soup! conf” (many OSes now do this for both v4 and v6) • Other speed issue: Touching data is expensive. Designers would like to minimize accesses to packet during forwarding.

25 26

IPv6 Header Cleanup IPv6 Header Cleanup

• Different options handling • No checksum • IPv4 options: Variable length header field. 32 different options. • Why checksum just the IP header? • Rarely used • No development / many hosts/routers do not support • Efficiency: If packet corrupted at hop 1, don’t • Worse than useless: Packets w/options often even get dropped! • Processed in “slow path”. waste b/w transmitting on hops 2..N. • IPv6 options: “Next header” pointer • Useful when corruption frequent, b/w expensive • Combines “protocol” and “options” handling • Next header: “TCP”, “UDP”, etc. • Today: Corruption rare, b/w cheap • Extensions header: Chained together • Makes it easy to implement host-based options • One value “hop-by-hop” examined by intermediate routers • Things like “source route” implemented only at intermediate hops

27 28

7 IPv6 Fragmentation Cleanup Migration from IPv4 to IPv6

• IPv4: Large Small • Interoperability with IP v4 is necessary for MTU MTU gradual deployment. • IPv6: Router must fragment • Discard packets, send ICMP “Packet Too Big” • Similar to IPv4 “Don’t Fragment” bit handling • Alternative mechanisms: • Sender must support Path MTU discovery • Dual stack operation: IP v6 nodes support both • Receive “Packet too Big” messages and send smaller packets • Increased minimum packet size address types • Link must support 1280 bytes; • Translation: • 1500 bytes if link supports variable sizes • Use form of NAT to connect to the outside world • Reduced packet processing and network complexity. • NAT must not only translate addresses but also translate between IPv4 and IPv6 protocols • Increased MTU a boon to application writers • Hosts can still fragment - using fragmentation header. Routers don’t • Tunneling: tunnel IP v6 packets through IP v4 deal with it any more. clouds

29 30

Outline Altering the Addressing Model

• Original IP Model • Every host has a unique IP address • IP Packet Format • Implications • Any host can find any other host • Any host can communicate with any other host • IPv6 • Any host can act as a server • Just need to know host ID and port number • No Secrecy or Authentication • NAT • Packet traffic observable by routers and by LAN- connected hosts • Possible to forge packets • Use invalid source address

31 32

8 Private Network Accessing Public Internet Reducing IP Addresses

W: Workstation! W: Workstation! S: Server Machine! S: Server Machine! W S W S Corporation X! NAT! Internet! Corporation X! NAT! Internet!

W W W W

• Most machines within organization are used by individuals • Don’t have enough IP addresses for every host in • “Workstations” organization • For most applications, act as clients • Security • Small number of machines act as servers for entire organization • Don’t want every machine in organization known to outside • E.g., mail server world • All traffic to outside passes through firewall • Want to control or monitor traffic in / out of organization (Most) machines within organization don’t need actual IP addresses!!

33 34

Network Address Translation (NAT) NAT: Opening Client Connection

Firewall has valid IP address! W: Workstation! W: Workstation! 10.1.1.1 S: Server Machine! W 243.4.4.4 NAT! Corporation X! NAT! Internet! 198.2.4.5:80 Corporation X! 10.2.2.2:1000 W S! W 10.3.3.3

10.2.2.2 W

• Within Organization • Client 10.2.2.2 wants to connect to server 198.2.4.5:80 • Assign every host an unregistered IP address • OS assigns ephemeral port (1000) • IP addresses 10/8 & 192.168/16 unassigned • Connection request intercepted by Int Addr Int Port NAT Port • Route within organization by IP protocol firewall 10.2.2.2 1000 5000 • Firewall • Maps client to port of firewall (5000) • Doesn’t let any packets from internal node escape • Creates NAT table entry • Outside world doesn’t need to know about internal addresses

35 36

9 NAT: Client Request NAT: Server Response

W: Workstation! W: Workstation! S: Server Machine! S: Server Machine! 10.5.5.5 243.4.4.4 10.5.5.5 243.4.4.4 Internet! 198.2.4.5:80 Corporation X! NAT! Internet! 198.2.4.5:80 Corporation X! NAT! 10.2.2.2:1000 10.2.2.2:1000 S! W S! W

source: !10.2.2.2 source: !243.4.4.4 source: !198.2.4.5 source: !198.2.4.5 dest: !198.2.4.5 dest: !198.2.4.5 dest: !10.2.2.2 dest: !243.4.4.4 src port: 1000 src port: 5000 src port: 80 src port: 80 dest port: 80 dest port: 80 dest port: 1000 dest port: 5000

Int Addr Int Port NAT Port Int Addr Int Port NAT Port • Firewall acts as proxy for client 10.2.2.2 1000 5000 • Firewall acts as proxy for client 10.2.2.2 1000 5000 • Intercepts message from client and marks itself as sender • Acts as destination for server messages • Relabels destination to local addresses 37 38

NAT: Enabling Servers Properties of Firewalls with NAT

C: Remote Client! Firewall has valid IP address! S: Server! • Advantages 10.3.3.3 • Hides IP addresses used in internal network S! 243.4.4.4 • Easy to change ISP: only NAT box needs to have IP address Corporation X! NAT! Internet! 198.2.4.5 • Fewer registered IP addresses required C • Basic protection against remote attack • Does not expose internal structure to outside world • Can control what packets come in and out of system • Can reliably determine whether packet from inside or outside • Use port mapping to make servers available Int Addr Int Port NAT Port • Disadvantages 10.3.3.3 80 80 • Contrary to the “open addressing” scheme envisioned for IP addressing • Manually configure NAT table to include entry for well-known port • External users give address 243.4.4.4:80 • Hard to support peer-to-peer applications • Requests forwarded to server • Why do so many machines want to serve port 1214?

39 40

10 NAT Considerations Important Concepts

• NAT has to be consistent during a session. • Base-level protocol (IP) provides minimal service level • Set up mapping at the beginning of a session and maintain it during the session • Allows highly decentralized implementation • Recall 2nd level goal 1 of Internet: Continue despite loss of networks or gateways • Each step involves determining next hop • What happens if your NAT reboots? • Most of the work at the endpoints • Recycle the mapping that the end of the session • May be hard to detect • ICMP provides low-level error reporting • NAT only works for certain applications. • Some applications (e.g. ftp) pass IP information in payload • Need application level gateways to do a matching translation • IP forwarding à global addressing, alternatives, lookup • Breaks a lot of applications. tables • Example: Let’s look at FTP • NAT is loved and hated • IP addressing à hierarchical, CIDR - Breaks many apps (FTP) • IP service à best effort, simplicity of routers - Inhibits deployment of new applications like p2p (but so do firewalls!) + Little NAT boxes make home networking simple. • IP packets à header fields, fragmentation, ICMP + Saves addresses. Makes allocation simple.

41 42

Next Lecture

• How do forwarding tables get built? • Routing protocols • Distance vector routing • Link state routing

43

11