Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

(1)

Lecture 6

Mobile Networks: Nomadic

Services, DHCP, NAT, and VPNs

Wireless Networks and Mobile Systems

Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs 2

Lecture Objectives

●

Describe the role of nomadic services in mobile

networking

●

Describe the objectives and operation of IP virtual

private networks (VPNs)

●

Describe the objectives and operation of the Dynamic

Host Configuration Protocol (DHCP)

●

Describe the objectives and operation of network

address translation (NAT)

●

Describe firewall and packet filter functions,

especially as related to NAT

●

Provide some high-level background in web services,

especially for a wireless “hot spot” service

Agenda

● Nomadic services

●

Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

●

Firewalls and packet filtering

●

HTML and web programming

●

Brief comments on a wireless “hot spot” service

Nomadic Services

●

Nomadic services support hosts that attach to

different networks, but where host reconfiguration is

acceptable

■ Compare to mobile services where hosts can move to a different network without reconfiguring

●

Functions

■ Changing the host’s IP address to that of the current network to which it is attached ⇒DHCP

■ Limited number of public Internet addresses available in the current network (or any network)⇒NAT

■ Lack of trust of the current network (or any network)⇒VPN

●

A wireless “hot spot” usually combines DHCP, NAT,

and firewall functions

Nomadic Services Functions

Address via DHCP

Secure Data, Private Address Secure Data,

Public Address

•VPN endpoint

•VPN endpoint •DHCP •NAT

Public Network

Private Network

Nomadic Node

Agenda

●

Nomadic services

● Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

●

Firewalls and packet filtering

●

HTML and web programming

(2)

Virtual Private Networks (1)

●

Virtual private networks (VPNs)

■Enable end-to-end security (authentication and, optionally, privacy) for a single (mobile) host connecting to a private network over untrusted (public) intermediate networks ■Enable security for private network-to-network

communication over untrusted intermediate networks ■Support quality-of-service and other attributes of a service

level agreement over a shared network for network-to-network connectivity

Virtual Private Networks (2)

●

Tunneling protocols

■ Point-to-Point Tunneling Protocol (PPTP) ■ Layer 2 Tuneling Protocol (L2TP) ■ IP Security (IPSec)

VPN Client

VPN Server General

Host

Public Network Private

Network

Secure Tunnel

Point-to-Point Tunneling Protocol

●

PPTP is an extension of the Point-to-Point Protocol

(PPP) to support tunneling

●

Can carry IP and non-IP packets

Layer 2

Header

IP

Header

PPP

Packet

GRE

Header

Layer 2 Tunneling Protocol

●

Resulted from the IETF’s merger of PPTP and the

Layer 2 Forwarding Protocol (L2FP)

●

Can carry IP and non-IP packets over IP and other

networks

Packet Transport (UDP, FR, ATM, etc.) L2TP Data Channel

(unreliable)

L2TP Control Channel (unreliable) L2TP Data Messages

(unreliable) PPP Frames

L2TP Control Messages

IP Security

●

IPSec has two main components

■Authentication Header (AH) ■Encapsulating Security Payload (ESP)

●

Two modes

■Transport mode ■Tunnel mode

IP

Header

AH

(or ESP)

IP

Payload

Inner IP

Header

Original IP Datagram

Tunnel

Mode

VPN References

K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn, “ Point-to-Point Tunneling Protocol,”RFC 2637, July 1999.

W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter, “Layer Two Tunneling Protocol ‘L2TP’,” RFC 2661, Aug. 1999. S. Kent, R. Atkinson, “Security Architecture for the Internet Protocol,” RFC 2401, Nov. 1998.

D. Fowler, Virtual Private Networks, Morgan-Kaufmann Publishers, 1999.

(3)

Agenda

●

Nomadic services

●

Virtual private networks (VPNs)

● Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

●

Firewalls and packet filtering

●

HTML and web programming

●

Brief comments on a wireless “hot spot” service

DHCP

●

DHCP provides all necessary configuration

information to allow a stationary node to become a

viable Internet host

●

Applications

■ To simplify system administration in traditional networks ■ To improve utilization of IP address space

■ To allow mobile hosts to obtain collocated care-of addresses on foreign networks

R. Droms, “Dynamic Host Configuration Protocol,” RFC 2131, March 1997.

C. E. Perkins, Mobile IP: Design Principles and Practices, Addison-Wesley, Reading, MA, 1998 (Chapter 9).

DHCP: Client-Server Model (1)

●

DHCP adheres to a client-server model

■Client requests service

■Server provides response

●

Request and reply must be sent without the benefit of

the client being an Internet host

DHCP

Server

DHCP

Client 1

DHCP

Client 2

request

reply

DHCP: Client-Server Model (2)

●

Client broadcasts request to network

■ Broadcast received by server or relay

■ If a relay is used, it forwards request with other information to the server

●

Server responds with configuration information

●

Client acknowledges receipt

●

Server reserves IP address (for some lease time) and

notifies client that address is reserved

●

Client must renew the lease

DHCP Initialization (1)

●

Client broadcasts a discover message

(DHCPDISCOVER)

■Sent via UDP to port 67

■Received by one or more DHCP servers (or relays)

●

Responding servers …

■Determine configuration

■Send an offer message (DHCPOFFER) to the client

●

Client selects a configuration that it wants

■Sends a request message (DHCPREQUEST) to the selected server

■Sends the same request message to servers not selected so they can release reserved IP address

DHCP Initialization (2)

●

Selected server …

■ Commits configuration

■ Replies with an acknowledge message (DHCPACK) to complete initialization

(4)

DHCP Initialization (3)

Server 1

(selected)

Client

Server 2

(not selected)

DHCPDISCOVER DHCPDISCOVER

DHCPOFFER DHCPOFFER

DHCPREQUEST DHCPREQUEST

DHCPACK

Lease and Renewals (1)

●

Server grants use of the IP address for a limited time,

the lease time

●

Client should renew the lease about after about

two-thirds of the lease time has expired

●

Lease renewal …

■ Client sends DHCPREQUEST message to the original selected server via unicast

■ Server responds with DHCPACK message

■ If no response from the server, client must start again with DHCP initialization

Lease and Renewals (2)

Server

Client

DHCPREQUEST

DHCPACK

Graceful Shutdown

●

Client can perform a graceful shutdown by sending a

DHCP release message (DHCPRELEASE) to the

server

■ Allows server to release reserved IP address

●

Often, clients just shutdown and IP address is

released after the lease time expires

Server

Client

DHCPRELEASE

DHCP Options

●

DHCP servers can provide optional information

beyond the assigned IP address

■Default router ■Subnet mask

■Network Time Protocol (NTP) servers ■Service Location Protocol (SLP) servers ■Domain Name System (DNS) servers ■Local domain name

■Host name

●

Request in discover or request message

●

Response in offer or acknowledge message

■Type, Length, Value (TLV) option

Agenda

●

Nomadic services

●

Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

● Network address translation (NAT)

●

Firewalls and packet filtering

●

HTML and web programming

(5)

Network Address Translation

●

NAT “mangles” a packet’s addressing headers as it

passes through a router to change either the source

or destination address

●

Most common form of NAT: Network and port

address translation

■A.k.a. IP Masquerading – Linux

■A.k.a. Port Address Translation (PAT) – Cisco

What is Masquerading?

●

One-to-many translation

●

The process of routing Internet-bound traffic from a

private network through a gateway router that

modifies the traffic to look like its own

●

On the return, the router, demultiplexes the traffic

back to the appropriate hosts by source/destination

port/address pairs (remembered from transmission)

Example Configuration

●

Trace a packet from Host1 to google.com

■IP address: 216.239.39.101

Host1

Host2

Host3

Router

eth1 – 12.34.56.78 Internal Network – 192.168.1.xxx

External Network

.4 .3 .2

eth0 – 192.168.1.254

Packet Trace

●

Packet sent to HTTP server at google.com

80 65013* 216.239.39.101 12.34.56.78 Google.com … routing 80 65013* 216.239.39.101 12.34.56.78 Router:eth1 NAT 80 4356 216.239.39.101 192.168.1.2 Router:eth0 80 4356 216.239.39.101 192.168.1.2 Host1:eth0 Dest Prt Src Prt Dest IP Src IP Interface

*Note: Masquerading changes the source port as well as source address for assured demultiplexing. Value depends on implementation.

Packet Trace (2)

●

Returning packet

4356 80 192.168.1.2 216.239.39.101 Host1:eth0 4356 80 192.168.1.2 216.239.39.101 Router:eth0 NAT 65013 80 12.34.56.78 216.239.39.101 Router:eth1 …routing 65013 80 12.34.56.78 216.239.39.101 Google.com Dest Prt Src Prt Dest IP Src IP Interface

Implementation of Masquerading

●

Linux – built into kernel firewall

■ Resident for years

■ ipfwadm, ipchains, iptables

●

Windows – Internet Connection Sharing

■ Partially with Microsoft Windows 98SE and Windows ME (only share certain interfaces)

■ Full implementation in Microsoft Windows 2000 and Windows XP (share any interface)

(6)

Agenda

●

Nomadic services

●

Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

● Firewalls and packet filtering

●

HTML and web programming

●

Brief comments on a wireless “hot spot” service

Firewalls

●

Routers with “attitude”

●

Process packets based on rules

●

Rules based on any packet characteristics or

attributes

■ Source and destination addresses and ports (e.g., source port 1234 from host 10.0.3.23)

■ Protocol flags (e.g., TCP SYN, TCP ACK) ■ Protocol types (e.g., ICMP, UDP)

■ Connection status (e.g., new or established)

Firewall Services

Data Link

Physical

Transport

Network

Presentation

Session

Application

Application-specific proxy,

Application-specific filter

Gateway, User Filter

Port map, Port filter,

Address map, Address filter

Address map, Address filter,

Protocol filter

Address filter, Protocol filter

Types of Firewalls (1)

●

Two types

■ Stateful ■ Stateless

●

Stateless

■ Simple, less secure than stateful

■ Makes decisions based on individual packet information ■ Does not maintain any connection status

■ Example:

○Allow all traffic inbound with destination port 80 ○Deny all traffic from 192.168.1.0/24 on the external

interface

Types of Firewalls (2)

●

Stateful

■All the attributes of a stateless firewall plus … ■Connection status (context for decisions)

○Watches traffic for SYN, ACK, and FIN packets ○Knows connection status (established, initiating) ■More complex, better security

■Example:

○Deny all ICMP Echo Reply packets not associated with an Echo Request

○Deny all TCP sessions not initiated from the inside network

Firewall Implementations

●

Implementations

■ Hardware and software

●

Hardware (network devices)

■ Cisco PIX, Sonicwall, Watchguard Firebox

●

Software (applications)

■ Windows – ZoneAlarm, Norton Personal Firewall, BlackICE ■ Unix and variants – ipfw, ipchains, iptables, ipf

(7)

iptables (1)

●

Linux firewall (and more)

●

Present with the 2.4 series kernel

●

Part of the netfilter project

■http://www.netfilter.org/

●

Consists of two parts

■Firewall code in the kernel

■User space “iptables” executable to manipulate kernel code

Oskar Andreasson, Iptables Tutorial 1.1.19,

http://iptables-tutorial.frozentux.net/.

iptables (2)

●

Three parts

■ Rules ■ Chains ■ Tables

iptables (3)

●

Rule

■Lowest-level (most basic) entity in firewalling

■A single tuple of what to do (action) and packets to which to apply the action (filter)

■Filter – identifies packets to which the rule applies ○Addresses, ports, status

■Action – what to do with the packet (stream)

○Accept, reject (drop, but reply with ICMP error message), drop, redirect, masquerade, go to another chain, and more

iptables (4)

●

Chains

■ An ordered list of rules ■ Traversed in order

■ The first matching rule in the chain is selected ■ Important predefined chains in FILTER table

○INPUT – all incoming packets go here ○FORWARD – packets to be routed ○OUTPUT – all outgoing packets go here

iptables (5)

●

Tables

■Separate different types of operations ■Three built-in tables

○FILTER – general filtering

○NAT – dealing with network address translation ○MANGLE – other packet changes

■Each contain multiple chains

iptables (6)

●

Incoming

packet

traversal

Network _PREROUTINGMangle _PREROUTINGNat

Routing Decision

Mangle FORWARD Mangle

INPUT Filter INPUT

Filter FORWARD

Application _{*to output*}

Local Non-Local

Example: Setting DSCP

Example: Redirecting

Example: Typical Firewall

Functions

Example: Typical Firewall Functions

(8)

iptables (7)

●

Outgoing

packet

traversal

Application

Mangle OUTPUT

Routing Decision

Nat OUTPUT

Filter OUTPUT

Mangle POSTROUTING

Nat POSTROUTING

Network

*from non-local input*

Example: IP Masquerading

Example: Typical Firewall

Functions

iptables (8)

●

Rule placement

■ Rule type specifies table

○Address translation and IP masquerading map to the NAT table

○Simple packet filtering maps to the filter table ■ Rule stage specifies chain

○Prerouting versus postrouting

○Traffic from local application versus forwarded traffic

Firewall Comments

●

“Good” firewall rules are difficult to write

■Must consider all possible traffic

■Only allow what should pass

●

Stateful firewalls are more secure (and more

complex) than stateless firewalls

●

Stepping forward

■Intrusion Detection System (IDS) – “smarter” stateful firewall

Agenda

●

Nomadic services

●

Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

●

Firewalls and packet filtering

● HTML and web programming

●

Brief comments on a wireless “hot spot” service

Web-Based Authentication

●

Consider a wireless LAN “hot spot” service

●

This will require consideration and use of…

■DHCP

■Firewalling ■Authentication ■IP masquerading (NAT)

●

Authentication is commonly done using a web-based

scheme

−

here is one approach…

■The first attempt to access any web page is redirected to an authentication page for the service

■A script or program must perform authentication and updates the configuration to allow access, if appropriate

HTML

●

HyperText Markup Language (HTML)

■ Web page “language” (content) ■ Currently in version 4.01

■ Maintained by the World Wide Web Consortium (W3C) ○http://www.w3c.org

■ Uses “tags”: <begin_tag>text</end_tag> ■ Formatting language

○Take data and add formatting, pictures, input, and/or links

(9)

HTML (2)

●

Many extensions and add-ons

■Responsible for rich web content

●

Tags interpreted by web browser; no server

processing involved

●

May be edited by hand or with a WYSWYG editor

■By hand: notepad, emacs, vi

■WYSWYG: MS Frontpage, Dreamweaver

Web Programming

●

Common Gateway Interface (CGI)

■ A way for web servers to interact with standard programs to generate dynamic web content

■ Input typically HTML form data ■ Output dynamic content (web pages) ■ Can be written using C++, Perl, Fortran, or PHP ■ Can do many functions with the appropriate library

(1) URL, param

(5) HTML, text, …

(2) CGI

(4) HTML, text, … Web

Browser

HTTP Server

Gateway Program

(3) P

ro

cess

Web Programming (2)

●

Model

■Client request ■Server reference

■Server processing (CGI, SSI, PHP) ■Request sent to client

■Browser processing (JavaScript, HTML, CSS)

No Experience?

●

PHP suggested for those with no experience with

web programming

●

PHP code is embedded in HTML code

■ No compilation

■ Quick editing

●

Familiar syntax

■ Borrows syntax “look and feel” from Java, Perl, and C++

Agenda

●

Nomadic services

●

Virtual private networks (VPNs)

●

Dynamic Host Configuration Protocol (DHCP)

●

Network address translation (NAT)

●

Firewalls and packet filtering

●

HTML and web programming

● Brief comments on a wireless “hot spot”

service

A Test Network Configuration

● DHCP server ● Firewall ● IP masquerading ● Web-based authentication

Private Network “Public” Internet

Private Public

(10)

Summary

●

Nomadic services enable Internet access

■Security, addressing, filtering

●

VPNs provide authentication and privacy for nomadic

users and protect private networks

●

DHCP allows nomadic users to obtain an IP address

and other configuration information

●

NAT conserves addresses in private networks,

allowing support for nomadic hosts

●

Firewalls and packet filtering provide security and

enable access control

●