1 / 55

Lecture 10 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs

Wireless Networks and Mobile Systems. Lecture 10 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Lecture Objectives. Describe the role of nomadic services in mobile networking Describe the objectives and operation of IP virtual private networks (VPNs)

taliesin
Download Presentation

Lecture 10 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Wireless Networks and Mobile Systems Lecture 10Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs

  2. Lecture Objectives • Describe the role of nomadic services in mobile networking • Describe the objectives and operation of IP virtual private networks (VPNs) • Describe the objectives and operation of the Dynamic Host Configuration Protocol (DHCP) • Describe the objectives and operation of network address translation (NAT) • Describe firewall and packet filter functions, especially as related to NAT • Provide some high-level background in web services, especially for a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 2

  3. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 3

  4. Nomadic Services • Nomadic services support hosts that attach to different networks, but where host reconfiguration is acceptable • Compare to mobile services where hosts can move to a different network without reconfiguring • Functions • Changing the host’s IP address to that of the current network to which it is attached  DHCP • Limited number of public Internet addresses available in the current network (or any network) NAT • Lack of trust of the current network (or any network) VPN • A wireless “hot spot” usually combines DHCP, NAT, and firewall functions Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 4

  5. Nomadic Services Functions Private Network Public Network Private Network Secure Data, Public Address Secure Data, Private Address Address via DHCP • DHCP • NAT NomadicNode • VPN endpoint • VPN endpoint Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 5

  6. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 6

  7. Virtual Private Networks (1) • Virtual private networks (VPNs) • Enable end-to-end security (authentication and, optionally, privacy) for a single (mobile) host connecting to a private network over untrusted (public) intermediate networks • Enable security for private network-to-network communication over untrusted intermediate networks • Support quality-of-service and other attributes of a service level agreement over a shared network for network-to-network connectivity Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 7

  8. Virtual Private Networks (2) • Tunneling protocols • Point-to-Point Tunneling Protocol (PPTP) • Layer 2 Tuneling Protocol (L2TP) • IP Security (IPSec) PrivateNetwork PublicNetwork GeneralHost VPNClient Secure Tunnel VPNServer Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 8

  9. Point-to-Point Tunneling Protocol • PPTP is an extension of the Point-to-Point Protocol (PPP) to support tunneling • Can carry IP and non-IP packets Layer 2 Header IP Header GREHeader PPP Packet Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 9

  10. Layer 2 Tunneling Protocol • Resulted from the IETF’s merger of PPTP and the Layer 2 Forwarding Protocol (L2FP) • Can carry IP and non-IP packets over IP and other networks PPPFrames L2TP Data Messages (unreliable) L2TP ControlMessages L2TP Data Channel (unreliable) L2TP Control Channel (unreliable) Packet Transport (UDP, FR, ATM, etc.) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 10

  11. IP Security • IPSec has two main components • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Two modes • Transport mode • Tunnel mode IPHeader AH (or ESP) Inner IPHeader IPPayload TunnelMode Original IP Datagram Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 11

  12. VPN References K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn, “Point-to-Point Tunneling Protocol,” RFC 2637, July 1999. W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter, “Layer Two Tunneling Protocol ‘L2TP’,” RFC 2661, Aug. 1999. S. Kent, R. Atkinson, “Security Architecture for the Internet Protocol,” RFC 2401, Nov. 1998. D. Fowler, Virtual Private Networks, Morgan-Kaufmann Publishers, 1999. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 12

  13. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 13

  14. DHCP • DHCP provides all necessary configuration information to allow a stationary node to become a viable Internet host • Applications • To simplify system administration in traditional networks • To improve utilization of IP address space • To allow mobile hosts to obtain collocatedcare-of addresses on foreign networks R. Droms, “Dynamic Host Configuration Protocol,” RFC 2131, March 1997. C. E. Perkins, Mobile IP: Design Principles and Practices, Addison-Wesley, Reading, MA, 1998 (Chapter 9). Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 14

  15. DHCP: Client-Server Model (1) • DHCP adheres to a client-server model • Client requests service • Server provides response • Request and reply must be sent without the benefit of the client being an Internet host DHCPClient 1 DHCPClient 2 DHCPServer request reply Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 15

  16. DHCP: Client-Server Model (2) • Client broadcasts request to network • Broadcast received by server or relay • If a relay is used, it forwards request with other information to the server • Server responds with configuration information • Client acknowledges receipt • Server reserves IP address (for some lease time) and notifies client that address is reserved • Client must renew the lease Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 16

  17. DHCP Initialization (1) • Client broadcasts a discover message (DHCPDISCOVER) • Sent via UDP to port 67 • Received by one or more DHCP servers (or relays) • Responding servers … • Determine configuration • Send an offer message (DHCPOFFER) to the client • Client selects a configuration that it wants • Sends a request message (DHCPREQUEST) to the selected server • Sends the same request message to servers not selected so they can release reserved IP address Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 17

  18. DHCP Initialization (2) • Selected server … • Commits configuration • Replies with an acknowledge message (DHCPACK) to complete initialization Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 18

  19. DHCP Initialization (3) Server 1(selected) Server 2 (not selected) Client DHCPDISCOVER DHCPDISCOVER DHCPOFFER DHCPOFFER DHCPREQUEST DHCPREQUEST DHCPACK Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 19

  20. Lease and Renewals (1) • Server grants use of the IP address for a limited time, the lease time • Client should renew the lease about after about two-thirds of the lease time has expired • Lease renewal … • Client sends DHCPREQUEST message to the original selected server via unicast • Server responds with DHCPACK message • If no response from the server, client must start again with DHCP initialization Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 20

  21. Lease and Renewals (2) Server Client DHCPREQUEST DHCPACK Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 21

  22. Graceful Shutdown • Client can perform a graceful shutdown by sending a DHCP release message (DHCPRELEASE) to the server • Allows server to release reserved IP address • Often, clients just shutdown and IP address is released after the lease time expires Server Client DHCPRELEASE Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 22

  23. DHCP Options • DHCP servers can provide optional information beyond the assigned IP address • Default router • Subnet mask • Network Time Protocol (NTP) servers • Service Location Protocol (SLP) servers • Domain Name System (DNS) servers • Local domain name • Host name • Request in discover or request message • Response in offer or acknowledge message • Type, Length, Value (TLV) option Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 23

  24. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 24

  25. Network Address Translation • NAT “mangles” a packet’s addressing headers as it passes through a router to change either the source or destination address • Most common form of NAT: Network and port address translation • A.k.a. IP Masquerading – Linux • A.k.a. Port Address Translation (PAT) – Cisco Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 25

  26. What is Masquerading? • One-to-many translation • The process of routing Internet-bound traffic from a private network through a gateway router that modifies the traffic to look like its own • On the return, the router, demultiplexes the traffic back to the appropriate hosts by source/destination port/address pairs (remembered from transmission) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 26

  27. Example Configuration • Trace a packet from Host1 to google.com • IP address: 216.239.39.101 Internal Network – 192.168.1.xxx Host1 .2 External Network eth0 – 192.168.1.254 Host2 .3 Router eth1 – 12.34.56.78 Host3 .4 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 27

  28. Packet Trace • Packet sent to HTTP server at google.com *Note: Masquerading changes the source port as well as source address for assured demultiplexing. Value depends on implementation. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 28

  29. Packet Trace (2) • Returning packet Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 29

  30. Implementation of Masquerading • Linux – built into kernel firewall • Resident for years • ipfwadm, ipchains, iptables • Windows – Internet Connection Sharing • Partially with Microsoft Windows 98SE and Windows ME (only share certain interfaces) • Full implementation in Microsoft Windows 2000 and Windows XP (share any interface) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 30

  31. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 31

  32. Firewalls • Routers with “attitude” • Process packets based on rules • Rules based on any packet characteristics or attributes • Source and destination addresses and ports (e.g., source port 1234 from host 10.0.3.23) • Protocol flags (e.g., TCP SYN, TCP ACK) • Protocol types (e.g., ICMP, UDP) • Connection status (e.g., new or established) Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 32

  33. Firewall Services Application-specific proxy, Application-specific filter Application Presentation Gateway, User Filter Session Port map, Port filter,Address map, Address filter Transport Network Address map, Address filter, Protocol filter Address filter, Protocol filter Data Link Physical Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 33

  34. Types of Firewalls (1) • Two types • Stateful • Stateless • Stateless • Simple, less secure than stateful • Makes decisions based on individual packet information • Does not maintain any connection status • Example: • Allow all traffic inbound with destination port 80 • Deny all traffic from 192.168.1.0/24 on the external interface Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 34

  35. Types of Firewalls (2) • Stateful • All the attributes of a stateless firewall plus … • Connection status (context for decisions) • Watches traffic for SYN, ACK, and FIN packets • Knows connection status (established, initiating) • More complex, better security • Example: • Deny all ICMP Echo Reply packets not associated with an Echo Request • Deny all TCP sessions not initiated from the inside network Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 35

  36. Firewall Implementations • Implementations • Hardware and software • Hardware (network devices) • Cisco PIX, Sonicwall, Watchguard Firebox • Software (applications) • Windows – ZoneAlarm, Norton Personal Firewall, BlackICE • Unix and variants – ipfw, ipchains, iptables, ipf Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 36

  37. iptables (1) • Linux firewall (and more) • Present with the 2.4 series kernel • Part of the netfilter project • http://www.netfilter.org/ • Consists of two parts • Firewall code in the kernel • User space “iptables” executable to manipulate kernel code Oskar Andreasson, Iptables Tutorial 1.1.19,http://iptables-tutorial.frozentux.net/. Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 37

  38. iptables (2) • Three parts • Rules • Chains • Tables Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 38

  39. iptables (3) • Rule • Lowest-level (most basic) entity in firewalling • A single tuple of what to do (action) and packets to which to apply the action (filter) • Filter – identifies packets to which the rule applies • Addresses, ports, status • Action – what to do with the packet (stream) • Accept, reject (drop, but reply with ICMP error message), drop, redirect, masquerade, go to another chain, and more Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 39

  40. iptables (4) • Chains • An ordered list of rules • Traversed in order • The first matching rule in the chain is selected • Important predefined chains in FILTER table • INPUT – all incoming packets go here • FORWARD – packets to be routed • OUTPUT – all outgoing packets go here Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 40

  41. iptables (5) • Tables • Separate different types of operations • Three built-in tables • FILTER – general filtering • NAT – dealing with network address translation • MANGLE – other packet changes • Each contain multiple chains Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 41

  42. Example: Setting DSCP iptables (6) Example: Redirecting • Incoming packet traversal Example: Typical Firewall Functions Example: Typical Firewall Functions Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 42

  43. iptables (7) • Outgoing packet traversal Example: IP Masquerading Example: Typical Firewall Functions Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 43

  44. iptables (8) • Rule placement • Rule type specifies table • Address translation and IP masquerading map to the NAT table • Simple packet filtering maps to the filter table • Rule stage specifies chain • Prerouting versus postrouting • Traffic from local application versus forwarded traffic Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 44

  45. Firewall Comments • “Good” firewall rules are difficult to write • Must consider all possible traffic • Only allow what should pass • Stateful firewalls are more secure (and more complex) than stateless firewalls • Stepping forward • Intrusion Detection System (IDS) – “smarter” stateful firewall Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 45

  46. Agenda • Nomadic services • Virtual private networks (VPNs) • Dynamic Host Configuration Protocol (DHCP) • Network address translation (NAT) • Firewalls and packet filtering • HTML and web programming • Brief comments on a wireless “hot spot” service Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 46

  47. Web-Based Authentication • Consider a wireless LAN “hot spot” service • This will require consideration and use of… • DHCP • Firewalling • Authentication • IP masquerading (NAT) • Authentication is commonly done using a web-based scheme − here is one approach… • The first attempt to access any web page is redirected to an authentication page for the service • A script or program must perform authentication and updates the configuration to allow access, if appropriate Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 47

  48. HTML • HyperText Markup Language (HTML) • Web page “language” (content) • Currently in version 4.01 • Maintained by the World Wide Web Consortium (W3C) • http://www.w3c.org • Uses “tags”: <begin_tag>text</end_tag> • Formatting language • Take data and add formatting, pictures, input, and/or links Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 48

  49. HTML (2) • Many extensions and add-ons • Responsible for rich web content • Tags interpreted by web browser; no server processing involved • May be edited by hand or with a WYSWYG editor • By hand: notepad, emacs, vi • WYSWYG: MS Frontpage, Dreamweaver Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 49

  50. Web Programming • Common Gateway Interface (CGI) • A way for web servers to interact with standard programs to generate dynamic web content • Input typically HTML form data • Output dynamic content (web pages) • Can be written using C++, Perl, Fortran, or PHP • Can do many functions with the appropriate library (1) URL, param (2) CGI WebBrowser HTTP Server GatewayProgram (3) Process (5) HTML, text, … (4) HTML, text, … Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 50

More Related