《NetworkAddressTranslation(NAT)》由会员分享,可在线阅读,更多相关《NetworkAddressTranslation(NAT)(10页珍藏版)》请在金锄头文库上搜索。
1、Network Address Translation (NAT)CS-480b Dick SteflikNetwork Address TranslationRFC-1631 A short term solution to the problem of the depletion of IP addresses Long term solution is IP v6 (or whatever is finally agreed on) CIDR (Classless InterDomain Routing ) is a possible short term solution NAT is
2、 another NAT is a way to conserve IP addresses Hide a number of hosts behind a single IP address Use: 10.0.0.0-10.255.255.255, 172.16.0.0-172.32.255.255 or 192.168.0.0-192.168.255.255 for local networksTranslation ModesDynamic Translation (IP Masquerading) large number of internal users share a sing
3、le external address Static Translation a block external addresses are translated to a same size block of internal addresses Load Balancing Translation a single incoming IP address is distributed across a number of internal servers Network Redundancy Translation multiple internet connections are atta
4、ched to a NAT Firewall that it chooses and uses based on bandwidth, congestion and availability. Dynamic Translation (IP Masquerading )Also called Network Address and Port Translation (NAPT) Individual hosts inside the Firewall are identified based on of each connection flowing through the firewall.
5、 Since a connection doesnt exist until an internal host requests a connection through the firewall to an external host, and most Firewalls only open ports only for the addressed host only that host can route back into the internal network IP Source routing could route back in; but, most Firewalls bl
6、ock incoming source routed packets NAT only prevents external hosts from making connections to internal hosts. Some protocols wont work; protocols that rely on separate connections back into the local network Theoretical max of 216 connections, actual is much lessStatic TranslationMap a range of ext
7、ernal address to the same size block of internal addresses Firewall just does a simple translation of each address Port forwarding - map a specific port to come through the Firewall rather than all ports; useful to expose a specific service on the internal network to the public networkLoad Balancing
8、A firewall that will dynamically map a request to a pool of identical clone machines often done for really busy web sites each clone must have a way to notify the Firewall of its current load so the Fire wall can choose a target machine or the firewall just uses a dispatching algorithm like round ro
9、bin Only works for stateless protocols (like HTTP) Network RedundancyCan be used to provide automatic fail-over of servers or load balancing Firewall is connected to multiple ISP with a masquerade for each ISP and chooses which ISP to use based on client load kind of like reverse load balancing a de
10、ad ISP will be treated as a fully loaded one and the client will be routed through another ISP Problems with NATCant be used with: protocols that require a separate back-channel protocols that encrypt TCP headers embed TCP address info specifically use original IP for some security reasonServices th
11、at NAT has problems withH.323, CUSeeMe, VDO Live video teleconferencing applications Xing Requires a back channel Rshell used to execute command on remote Unix machine back channel IRC Internet Relay Chat requires a back channel PPTP Point-to-Point Tunneling Protocol SQLNet2 Oracle Database Networki
12、ng Services FTP Must be RFC-1631 compliant to work ICMP sometimes embeds the packed address info in the ICMP message IPSec used for many VPNs IKE Internet Key Exchange Protocol ESP IP Encapsulating Security Payload Hacking through NATStatic Translation offers no protection of internal hosts Internal
13、 Host Seduction internals go to the hacker e-mail attachments Trojan Horse virus peer-to-peer connections hacker run porn and gambling sites solution = application level proxies State Table Timeout Problem hacker could hijack a stale connection before it is timed out very low probability but smart hacker could do it Source Routing through NAT if the hacker knows an internal address they can source route a packet to that host solution is to not allow source routed packets through the firewall
