Internet Ideal: Simple Network Model • Globally unique idenPfiers – Each node has a unique, fixed IP address – … reachable from everyone and everywhere Middleboxes • Simple packet forwarding – Network nodes simply forward packets Jennifer Rexford – … rather than modifying or filtering them COS 461: Computer Networks source destination Lectures: MW 10-10:50am in Architecture N101 IP network hGp://www.cs.princeton.edu/courses/archive/spr12/cos461/ 2 Internet Reality Middleboxes • Host mobility • Replicated services • Middleboxes are intermediaries – Host changing address – Load balancing over – Interposed between communicang hosts as it moves server replicas – OZen without knowledge of one or both parPes • IP address deplePon • Performance concerns • Myriad uses “An abomina*on!” – MulPple hosts using – Allocang bandwidth, – Address translators – Violaon of layering the same address caching content, … – Firewalls – Hard to reason about • Security concerns • Incremental deployment – Traffic shapers – Responsible for subtle bugs – DetecPng and blocking – New technology – Intrusion detecPon “A prac*cal necessity!” unwanted traffic deployed in stages – Transparent proxies – Solve real/pressing problems – Applicaon accelerators 3 – Needs not likely to go away 4 Firewalls Should arriving packet be allowed in? Departing packet let out? Firewalls administered public network Internet firewall • Firewall filters packet-by-packet, based on: – Source and desPnaon IP addresses and port numbers – TCP SYN and ACK bits; ICMP message type – Deep packet inspecPon on packet contents (DPI) 5 6 1 Packet Filtering Examples Firewall Configuraon • block all packets with IP protocol field = 17 and • Firewall applies a set of rules to each packet with either source or dest port = 23. – To decide whether to permit or deny the packet – All incoming and outgoing UDP flows blocked • Each rule is a test on the packet – All Telnet connecPons are blocked – Comparing IP and TCP/UDP header fields • block inbound TCP packets with SYN but no ACK – … and deciding whether to permit or deny – Prevents external clients from making TCP • Order maers connecPons with internal clients – Once packet matches a rule, the decision is done – but allows internal clients to connect to outside • block all packets with TCP port of Quake 7 8 Firewall Configuraon Example Firewall Configuraon Rules • Alice runs a network in 222.22.0.0/16 • #1: Don’t let Trudy’s machines in • Wants to let bob’s school access certain hosts – Deny (src = 111.11.11.0/24, dst = 222.22.0.0/16) – Bob is on 111.11.0.0/16 • #2: Let rest of bob’s network in to special dsts – Alice’s special hosts on 222.22.22.0/24 – Permit (src=111.11.0.0/16, dst = 222.22.22.0/24) • Alice doesn’t trust Trudy, inside bob’s network • #3: block the rest of the world – Trudy is on 111.11.11.0/24 – Deny (src = 0.0.0.0/0, dst = 0.0.0.0/0) • Alice doesn’t want any other Internet traffic 9 10 Stateful Firewall A Variaon: Traffic Management • Stateless firewall: • Permit vs. deny is too binary a decision – Treats each packet independently – Classify the traffic based on rules • Stateful firewall – … and handle each class differently – Remembers connecPon-level informaon • Traffic shaping (rate limiPng) – E.g., client iniPang connecPon with a server – Limit the amount of bandwidth for certain traffic – … allows the server to send return traffic • Separate queues – Use rules to group related packets SYN SYN – And then do weighted fair scheduling across groups SYN-ACK SYN-ACK 11 12 2 Clever Users Subvert Firewalls • Example: filtering dorm access to a server – Firewall rule based on IP addresses of dorms – … and the server IP address and port number – Problem: users may log in to another machine Network Address Translaon • Example: filtering P2P based on port #s – Firewall rule based on TCP/UDP port numbers • E.g., allow only port 80 (e.g., Web) traffic – Problem: soZware using non-tradiPonal ports • E.g., write P2P client to use port 80 instead 13 14 History of NATs Network Address Translaon • IP address space deplePon – Clear in early 90s that 232 addresses not enough Outbound: Rewrite the src IP addr – Work began on a successor to IPv4 • In the meanPme… Inbound: Rewrite the 138.76.29.7dest IP addr 10.0.0.1 – Share addresses among numerous devices – … without requiring changes to exisPng hosts Problem: Local address not globally addressable outside • Meant as a short-term remedy NAT – Now: NAT is widely deployed, much more than IPv6 NAT rewrites the IP addresses • Make “inside” look like single IP addr • Change header checksums accordingly 10.0.0.2 inside 15 16 Port-Translang NAT Network Address Translaon Example • Two hosts communicate with same desPnaon NAT translation table WAN side addr LAN side addr – DesPnaon needs to differenPate the two 138.76.29.7, 5001 10.0.0.1, 3345 • Map outgoing packets …… – Change source address and source port S: 10.0.0.1, 3345 D: 128.119.40.186, 80 • Maintain a translaon table 10.0.0.1 1 S: 138.76.29.7, 5001 – Map of (src addr, port #) to (NAT addr, new port #) 2 D: 128.119.40.186, 80 10.0.0.2 • 138.76.29.7 Map incoming packets S: 128.119.40.186, 80 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 4 D: 138.76.29.7, 5001 3 – Map the desPnaon address/port to the local host 10.0.0.3 17 18 3 Maintaining the Mapping Table Where is NAT Implemented? • Create an entry upon seeing an outgoing packet • Home router (e.g., Linksys box) – Packet with new (source addr, source port) pair – Integrates router, DHCP server, NAT, etc. – Use single IP address from the service provider • Eventually, need to delete entries to free up #’s – When? If no packets arrive before a Pmeout • Campus or corporate network – (At risk of disrupPng a temporarily idle connecPon) – NAT at the connecPon to the Internet – Share a collecPon of public IP addresses • Yet another example of “soZ state” – Avoid complexity of renumbering hosts/routers – I.e., removing state if not refreshed for a while when changing ISP (w/ provider-allocated IP prefix) 19 20 PracPcal ObjecPons Against NAT Principled ObjecPons Against NAT • Port #s are meant to idenPfy sockets • Routers are not supposed to look at port #s – Yet, NAT uses them to idenPfy end hosts – Network layer should care only about IP header – Makes it hard to run a server behind a NAT – … and not be looking at the port numbers at all • NAT violates the end-to-end argument 138.76.29.7 – Network nodes should not modify the packets Requests to 10.0.0.1 • IPv6 is a cleaner soluPon 138.76.29.7 on port 80 – beGer to migrate than to limp along with a hack NAT That’s what happens when network Which host should get the request??? puts power in hands of end users! 10.0.0.2 • Explicit config at NAT for incoming conn’s 21 22 Replicated Servers • One site, many servers – www.youtube.com Load balancers 23 24 4 Load balancer Dedicated IP • Splits load over server replicas addresses 10.0.0.1 – At the connecPon level Virtual IP address 12.1.11.3 10.0.0.2 Wide-Area Accelerators 10.0.0.3 • Apply load balancing policies 25 26 At ConnecPon Point to the Internet Example: Improve TCP Throughput ACK Appliance Internet Appliance Appliance Internet Appliance • Improve end-to-end performance • Appliance with a lot of local memory – Through buffering, compression, caching, … • Sends ACK packets quickly to the sender • Incrementally deployable • Overwrites receive window with a large value – No changes to end hosts or the rest of the Internet • Or, even run a new and improved version of TCP 27 28 Example: Compression Example: Caching Appliance Internet Appliance Appliance Internet Appliance • Compress the packet • Cache copies of the outgoing packets • Send the compressed packet • Check for sequences of bytes that match past data • Uncompress at the other end • Just send a pointer to the past data • Maybe compress across successive packets • And have the receiving appliance reconstruct 29 30 5 Example: EncrypPon Appliance Internet Appliance Tunneling • Two sites share keys for encrypPng traffic • Sending appliance encrypts the data • Receiving appliance decrypts the data • Protects the sites from snoopers on the Internet 31 32 IP Tunneling 6bone: Deploying IPv6 over IP4 • A B tunnel E F IP tunnel is a virtual point-to-point link Logical view: – Illusion of a direct link between two nodes IPv6 IPv6 IPv6 IPv6 A B tunnel E F A B C D E F Logical view: Physical view: IPv6 IPv6 IPv4 IPv4 IPv6 IPv6 A B E F Flow: X Src:B Src:B Flow: X Physical view: Src: A Src: A Dest: F Dest: E Dest: E Dest: F Flow: X Flow: X Src: A Src: A • Encapsulaon of the packet inside IP datagram data Dest: F Dest: F data – Node b sends a packet to node E data data – … containing another packet as the payload A-to-B: E-to-F: B-to-C: B-to-C: IPv6 IPv6 IPv6 inside IPv6 inside 33 IPv4 IPv4 34 Remote Access Virtual Private Network Conclusions VPN server • 12.1.1.73 Middleboxes address important problems – Geng by with fewer IP addresses Internet – blocking unwanted traffic 12.1.1.0/24 12.1.1.1 1.2.3.4 – Making fair use of network resources • Tunnel from user machine to VPN server – Improving end-to-end performance – A “link” across the Internet to the local network • Middleboxes cause problems of their own • Encapsulates packets to/from the user – No longer globally unique IP addresses – – Packet from 12.1.1.73 to 12.1.1.100 Cannot assume network simply delivers packets – Inside a packet from 1.2.3.4 to 12.1.1.1 35 36 6 Midterm Exam • 10:00-10:50am Wednesday March 14 – In Frist 302 (not the lecture room!) • Open books, notes, slides, etc.