Internet Ideal: Simple Network Model • Globally unique iden�fiers – Each node has a unique, fixed IP address – … reachable from everyone and everywhere Middleboxes • Simple packet forwarding – Network nodes simply forward packets Jennifer Rexford – … rather than modifying or filtering them COS 461: Computer Networks source destination Lectures: MW 10-10:50am in Architecture N101 IP network h�p://www.cs.princeton.edu/courses/archive/spr12/cos461/
2
Internet Reality Middleboxes • Host mobility • Replicated services • Middleboxes are intermediaries – Host changing address – Load balancing over – Interposed between communica�ng hosts as it moves server replicas – O�en without knowledge of one or both par�es • IP address deple�on • Performance concerns • Myriad uses “An abomina�on!” – Mul�ple hosts using – Alloca�ng bandwidth, – Address translators – Viola�on of layering the same address caching content, … – Firewalls – Hard to reason about • Security concerns • Incremental deployment – Traffic shapers – Responsible for subtle bugs – Detec�ng and blocking – New technology – Intrusion detec�on “A prac�cal necessity!” unwanted traffic deployed in stages – Transparent proxies – Solve real/pressing problems – Applica�on accelerators 3 – Needs not likely to go away 4
Firewalls
Should arriving packet be allowed in? Departing packet let out?
Firewalls administered public network Internet
firewall • Firewall filters packet-by-packet, based on: – Source and des�na�on IP addresses and port numbers – TCP SYN and ACK bits; ICMP message type – Deep packet inspec�on on packet contents (DPI)
5 6
1 Packet Filtering Examples Firewall Configura�on • Block all packets with IP protocol field = 17 and • Firewall applies a set of rules to each packet with either source or dest port = 23. – To decide whether to permit or deny the packet – All incoming and outgoing UDP flows blocked • Each rule is a test on the packet – All Telnet connec�ons are blocked – Comparing IP and TCP/UDP header fields • Block inbound TCP packets with SYN but no ACK – … and deciding whether to permit or deny – Prevents external clients from making TCP • Order ma�ers connec�ons with internal clients – Once packet matches a rule, the decision is done – But allows internal clients to connect to outside • Block all packets with TCP port of Quake
7 8
Firewall Configura�on Example Firewall Configura�on Rules • Alice runs a network in 222.22.0.0/16 • #1: Don’t let Trudy’s machines in • Wants to let Bob’s school access certain hosts – Deny (src = 111.11.11.0/24, dst = 222.22.0.0/16) – Bob is on 111.11.0.0/16 • #2: Let rest of Bob’s network in to special dsts – Alice’s special hosts on 222.22.22.0/24 – Permit (src=111.11.0.0/16, dst = 222.22.22.0/24) • Alice doesn’t trust Trudy, inside Bob’s network • #3: Block the rest of the world – Trudy is on 111.11.11.0/24 – Deny (src = 0.0.0.0/0, dst = 0.0.0.0/0) • Alice doesn’t want any other Internet traffic
9 10
Stateful Firewall A Varia�on: Traffic Management • Stateless firewall: • Permit vs. deny is too binary a decision – Treats each packet independently – Classify the traffic based on rules • Stateful firewall – … and handle each class differently – Remembers connec�on-level informa�on • Traffic shaping (rate limi�ng) – E.g., client ini�a�ng connec�on with a server – Limit the amount of bandwidth for certain traffic – … allows the server to send return traffic • Separate queues – Use rules to group related packets SYN SYN – And then do weighted fair scheduling across groups SYN-ACK SYN-ACK
11 12
2 Clever Users Subvert Firewalls • Example: filtering dorm access to a server – Firewall rule based on IP addresses of dorms – … and the server IP address and port number – Problem: users may log in to another machine Network Address Transla�on • Example: filtering P2P based on port #s – Firewall rule based on TCP/UDP port numbers • E.g., allow only port 80 (e.g., Web) traffic – Problem: so�ware using non-tradi�onal ports • E.g., write P2P client to use port 80 instead
13 14
History of NATs Network Address Transla�on • IP address space deple�on – Clear in early 90s that 232 addresses not enough Outbound: Rewrite the src IP addr – Work began on a successor to IPv4 • In the mean�me… Inbound: Rewrite the 138.76.29.7dest IP addr 10.0.0.1 – Share addresses among numerous devices – … without requiring changes to exis�ng hosts Problem: Local address not globally addressable outside • Meant as a short-term remedy NAT – Now: NAT is widely deployed, much more than IPv6 NAT rewrites the IP addresses • Make “inside” look like single IP addr • Change header checksums accordingly 10.0.0.2 inside 15 16
Port-Transla�ng NAT Network Address Transla�on Example
• Two hosts communicate with same des�na�on NAT translation table WAN side addr LAN side addr – Des�na�on needs to differen�ate the two 138.76.29.7, 5001 10.0.0.1, 3345 • Map outgoing packets ……
– Change source address and source port S: 10.0.0.1, 3345 D: 128.119.40.186, 80 • Maintain a transla�on table 10.0.0.1 1 1 S: 138.76.29.7, 5001 – Map of (src addr, port #) to (NAT addr, new port #) 2 D: 128.119.40.186, 80 10.0.0.2 • 138.76.29.7 Map incoming packets S: 128.119.40.186, 80 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4 D: 138.76.29.7, 5001 3 – Map the des�na�on address/port to the local host 10.0.0.3
17 18
3 Maintaining the Mapping Table Where is NAT Implemented? • Create an entry upon seeing an outgoing packet • Home router (e.g., Linksys box) – Packet with new (source addr, source port) pair – Integrates router, DHCP server, NAT, etc. – Use single IP address from the service provider • Eventually, need to delete entries to free up #’s – When? If no packets arrive before a �meout • Campus or corporate network – (At risk of disrup�ng a temporarily idle connec�on) – NAT at the connec�on to the Internet – Share a collec�on of public IP addresses • Yet another example of “so� state” – Avoid complexity of renumbering hosts/routers – I.e., removing state if not refreshed for a while when changing ISP (w/ provider-allocated IP prefix)
19 20
Prac�cal Objec�ons Against NAT Principled Objec�ons Against NAT • Port #s are meant to iden�fy sockets • Routers are not supposed to look at port #s – Yet, NAT uses them to iden�fy end hosts – Network layer should care only about IP header – Makes it hard to run a server behind a NAT – … and not be looking at the port numbers at all • NAT violates the end-to-end argument 138.76.29.7 – Network nodes should not modify the packets Requests to 10.0.0.1 • IPv6 is a cleaner solu�on 138.76.29.7 on port 80 – Be�er to migrate than to limp along with a hack NAT That’s what happens when network Which host should get the request??? puts power in hands of end users! 10.0.0.2 • Explicit config at NAT for incoming conn’s 21 22
Replicated Servers • One site, many servers – www.youtube.com Load Balancers
23 24
4 Load Balancer Dedicated IP • Splits load over server replicas addresses 10.0.0.1 – At the connec�on level Virtual IP address 12.1.11.3 10.0.0.2 Wide-Area Accelerators
10.0.0.3
• Apply load balancing policies
25 26
At Connec�on Point to the Internet Example: Improve TCP Throughput
ACK
Appliance Internet Appliance Appliance Internet Appliance
• Improve end-to-end performance • Appliance with a lot of local memory – Through buffering, compression, caching, … • Sends ACK packets quickly to the sender • Incrementally deployable • Overwrites receive window with a large value – No changes to end hosts or the rest of the Internet • Or, even run a new and improved version of TCP
27 28
Example: Compression Example: Caching
Appliance Internet Appliance Appliance Internet Appliance
• Compress the packet • Cache copies of the outgoing packets • Send the compressed packet • Check for sequences of bytes that match past data • Uncompress at the other end • Just send a pointer to the past data • Maybe compress across successive packets • And have the receiving appliance reconstruct
29 30
5 Example: Encryp�on
Appliance Internet Appliance Tunneling
• Two sites share keys for encryp�ng traffic • Sending appliance encrypts the data • Receiving appliance decrypts the data • Protects the sites from snoopers on the Internet
31 32
IP Tunneling 6Bone: Deploying IPv6 over IP4
• A B tunnel E F IP tunnel is a virtual point-to-point link Logical view: – Illusion of a direct link between two nodes IPv6 IPv6 IPv6 IPv6
A B tunnel E F A B C D E F Logical view: Physical view: IPv6 IPv6 IPv4 IPv4 IPv6 IPv6
A B E F Flow: X Src:B Src:B Flow: X Physical view: Src: A Src: A Dest: F Dest: E Dest: E Dest: F Flow: X Flow: X Src: A Src: A • Encapsula�on of the packet inside IP datagram data Dest: F Dest: F data
– Node B sends a packet to node E data data – … containing another packet as the payload A-to-B: E-to-F: B-to-C: B-to-C: IPv6 IPv6 IPv6 inside IPv6 inside 33 IPv4 IPv4 34
Remote Access Virtual Private Network Conclusions
VPN server • 12.1.1.73 Middleboxes address important problems – Ge�ng by with fewer IP addresses
Internet – Blocking unwanted traffic 12.1.1.0/24 12.1.1.1 1.2.3.4 – Making fair use of network resources • Tunnel from user machine to VPN server – Improving end-to-end performance – A “link” across the Internet to the local network • Middleboxes cause problems of their own • Encapsulates packets to/from the user – No longer globally unique IP addresses – – Packet from 12.1.1.73 to 12.1.1.100 Cannot assume network simply delivers packets – Inside a packet from 1.2.3.4 to 12.1.1.1
35 36
6 Midterm Exam • 10:00-10:50am Wednesday March 14 – In Frist 302 (not the lecture room!) • Open books, notes, slides, etc. – E-readers okay, but tablets/laptops are not • Covers first five weeks of the course – Lectures, precepts, readings, and assignments • No precept on Friday – Enjoy your spring break!
37
7