COMP30023 – Computer Systems 2018 – Semester 1 – Week 7 – Lecture 1
Internet (Network) Layer –
NAT, Fragmentation and Subnets
Dr Lachlan Andrew
© University of Melbourne 2021
Recap
• Network layer services
• Connectionless and connection-oriented
• Forwarding tables
• QoS
• IP addresses
© University of Melbourne 2021
3
Summary
• Network Address Translation (NAT) • Fragmentation
• IPv4 • IPv6
• Subnets
© University of Melbourne 2021
4
IPv4 address scarcity
• As IP addresses became scarce, methods for handling many more clients were developed
• Whilst IPv6 would solve the problem a stop gap was needed
• Private addresses
– Manyhostsinacompanyonlyneedinternalaccess
– “Private”subnets192.168.0.0/16,172.16.0.0/12,10.0.0/8
– Canbereused:uniqueaddresswithinorganisation,notglobally
• Intention: “Application layer proxies” to access outside services
– Instead…
© University of Melbourne 2021
5
Network Address Translation (NAT)
• Each customer/home is assigned one public IP address – Businessesmightbeissuedafew
• Internally hosts/interfaces are issued Private IP addresses – Recall10.0.0.0/8-10.255.255.255(asanexample)
• Internal IP addresses are used for communicating among hosts in the Local Area Network (LAN)
• They must never be used on the public internet
• When a packet is heading out of the network (to the ISP) the internal address is translated to the public IP address
© University of Melbourne 2021
6
Network Address Translation (NAT)
Port number also changes NAPT
© University of Melbourne 2021
7
Network Address Translation (NAT)
• How NAT works:
– AssumesTCP/UDP(someexceptions),inparticularthelocationsof
source and destination port fields
– NATboxreplacesIPsourceaddress(10.x.y.z)withpublicIPaddress
– TCP source port replaced with index of entry in NAT translation table
• One of 65,536 entries (16 bits – same as TCP port field)
• Each entry contains original IP address (private IP) and original source port number
– IPandTCPchecksumsarerecalculated
– When a packet arrives from the internet at the NAT box it looks up
the destination port from the TCP header in the translation table
• Retrieves original source port and source IP address, updates headers and checksums and sends to the internal host
© University of Melbourne 2021
8
Network Address Translation (NAT)
• Criticisms of NAT
– Breaks end-to-end connectivity: an interface in the private network can only receive packets once it has sent packets out and created a mapping (some exceptions)
– “Layering violation” by assuming nature of payload contents – initially only worked for TCP and UDP. Must snoop on FTP messages: https://enterprisedt.com/products/edtftpjssl/doc/manual/html/ howtoftpthroughafilewall.html
– Violates IP architectural model that states every interface on the internet has a unique IP address (millions of interfaces connecting to the internet have 10.0.0.1)
– Changes internet from connectionless to pseudo-connection-oriented • NAT maintains connection state, if it crashes all connections are lost
– Limits number of outgoing connection, since port numbers are 16 bits.
© University of Melbourne 2021
9
Network Address Translation (NAT)
• Despite criticisms, it is widely deployed, particularly in homes and small businesses
– CarriergradeNAT:ISPonlygivescustomersprivateaddresses
• Significant security advantage
– Sincepacketscanonlybereceivedonceanoutgoingconnectionhas been created, the internal network is greatly shielded from attacks from incoming unsolicited packets
– NATshouldnotreplacefirewalls
• Likely to remain in use even after IPv6 is widely deployed and there is no longer a scarcity of IP addresses
© University of Melbourne 2021
10
Fragmentation
© University of Melbourne 2021
11
Fragmentation
• Recall that IP packets have a maximum size of 65,535 – determined by the Total Length header field being 16 bits
• However, most network links cannot handle such large sizes
• All networks have a maximum size for packets, due to:
• hardware
• OS
• protocols
• standards compliance
• desire to reduce transmissions due to errors
• desire for efficiency in communication channel
© University of Melbourne 2021
12
Fragmentation
• Nature of layered protocol stack means lower layer potentially needs to be able to fragment larger packets
• More important: the most restrictive link on a packet’s path may be on a link the sender is not connected to
• Can’t just pass info up the protocol stack in the sender
• Fragmentation (division of packets into fragments) allows network gateways to meet size constraints
© University of Melbourne 2021
13
Fragmentation
• Hosts want to transmit large packets, since it reduces workload for them
• Creates a problem when that packet transits other networks that may not support such a large packet size
• Common maximum sizes for different network technology
• 1500 bytes for Ethernet (non-standard extension to 9000)
• 2304 bytes for 802.11.
• For example, sending packets between two devices on the same WiFi network could use larger packets than sending between WiFi and Ethernet device
© University of Melbourne 2021
14
Fragmentation
• MTU – Maximum Transmission Unit
• Maximum size for that network or protocol
• Path MTU
• Maximum size for the path through the network
• Why not just set the Path MTU at the sender?
• Connectionless network, with dynamic routing – both route and link
MTU can change after the packet has been sent
• In keeping with design goals of TCP/IP (keep it simple) the easiest solution seemed to be to allow routers to break large packets into fragments to be sent individually along the network
© University of Melbourne 2021
15
Fragmentation
• Problem: breaking a large packet into smaller fragments is easy, putting them back together again is a much harder task
• Two approaches:
• Transparent Fragmentation – reassembly is performed at next router; subsequent routers are unaware fragmentation has taken place
• Nontransparent Fragmentation – reassembly is performed at the destination host
© University of Melbourne 2021
16
Fragmentation
a) Transparent
b) Nontransparent (used by IP)
© University of Melbourne 2021
17
Fragmentation and IP Headers
• Recall the following IP Headers
– Identification–usedtoidentifyapacket
– Flags(DF=Don’tFragmentandMF=MoreFragments)
– Fragment offset – offset in 8 byte blocks
• 13 bits – max offset (2^13 – 1) * 8 = 65,528,
• If a packet is fragmented:
– Identificationstaysthesameforallfragments
– MF=1forallfragments,exceptthelast
– Fragment offset – appropriately set for each fragment
• Fragment offset allows the receiving host to reconstruct out-of-order fragments in a buffer – similar to TCP Segments
© University of Melbourne 2021
18
Fragmentation and IP Headers
• Fragment offset, and therefore fragmentation size, must be on an 8 byte boundary
– Cannot send single byte fragments (except the last)
• If we have a payload of 1700 bytes. MTU=1500 bytes, ID=1:
– 1st Fragment : ID = 1, DF=0, MF=1, FO=0
– 2nd Fragment: ID = 1, DF=0, MF=0 , FO=185
• (185*8=1480 = 1500 – 20 byte header)`
© University of Melbourne 2021
19
Fragmentation
• Simple approach, but some downsides:
– Overheadfromfragmentation(20byteheaderforeachfragment)is
incurred from the point of fragmentation all the way to the host
– If a single fragment is lost the entire packet has to be resent
– Overheadonhostsinperformingreassemblyhigherthanexpected
• Alternative approach is Path MTU discovery
– Each packet is sent with the DF bit set – don’t fragment
– IfaroutercannothandlethepacketsizeitsendsanICMP(Internet Control Message Protocol) to the sender host telling it to fragment its packets to a smaller size
© University of Melbourne 2021
20
Path MTU Discovery
• May cause initial packets to be dropped, but host can learn optimal size quickly and reduce subsequent fragmentation
• Fragmentation may still have to occur between hosts, unless upper layers can be informed of the size restriction
– ThisisonereasonwhyTCP/IParetypicallyimplementedtogetherso they can share such information
– UDPreliesonPMTUsdiscoveredbyTCP
© University of Melbourne 2021
21
IPv4 vs. IPv6 Fragmentation
• IPv4 allows for either nontransparent fragmentation, or path MTU discovery
– IPv4minimumacceptsize576bytes
• IPv6 expects hosts to discover the optimal path MTU
– routerswillnotperformfragmentationinIPv6 – IPv6minimumacceptsize1280bytes
• Caution:
– ICMPmessagesaresometimesdroppedbynetworks,
causing Path MTU discovery to fail.
– Insuchcircumstancesaconnectionwillworkforlowvolume, fails at high volume – if in doubt send at the minimum accept size
• https://labs.ripe.net/Members/gih/evaluating-ipv4-and- ipv6-packet-fragmentation/document_view_resolve
© University of Melbourne 2021
22
Subnets
© University of Melbourne 2021
23
Subnets
• Recall: prefixes in IP addressing indicates different destination networks
• The same approach can be used internally within an organisation to maximise the use of their assigned IP prefix
• Subnetting allows networks to be split into several parts for internal use whilst acting like a single network for external use
• Subnet masks are written the same way as network masks: – “dotteddecimal”(e.g.255.255.255.128)or
– “slash”notation(e.g./25)
© University of Melbourne 2021
24
Subnets
• Example: A university with a /16 prefix could subnet its network as follows:
– ComputerScience/17(halfofallocation)
– ElectricalEngineering/18(quarterofallocation) – Arts/19(1/8ofallocation)
• Splits don’t need to be even, but bits must be aligned to allow hosts portion to be used
© University of Melbourne 2021
25
Subnets
• When a packet arrives from the internet, the router can use the subnet masks (bitwise AND) to find which subnet it should send the packet to, without knowing all hosts on the subnet
© University of Melbourne 2021
26
Subnets
Network
Prefix
Network Address (binary)
EE
128.208.0.0/18
10000000.11010000.00000000.00000000
CS
128.208.128.0/17
10000000.11010000.10000000.00000000
Arts
128.208.96.0/19
10000000.11010000.01100000.00000000
Network
Prefix
Subnet Mask
Binary Subnet Mask
EE
128.208.0.0/18
255.255.192.0
11111111.11111111.11000000.00000000
CS
128.208.128.0/17
255.255.128.0
11111111.11111111.10000000.00000000
Arts
128.208.96.0/19
255.255.224.0
11111111.11111111.11100000.00000000
• Example, packet comes in for 128.208.2.151, 10000000.11010000.00000010.10010111
© University of Melbourne 2021
27
Subnets
Network
EE
CS
Arts
Network
EE
CS
Arts
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Incoming
AND CS Subnet Mask
Result
CS Network
Subnet Mask
255.255.192.0
255.255.128.0
255.255.224.0
Network Address (binary)
10000000.11010000.00000000.00000000
10000000.11010000.10000000.00000000
10000000.11010000.01100000.00000000
Binary Subnet Mask
11111111.11111111.11000000.00000000
11111111.11111111.10000000.00000000
11111111.11111111.11100000.00000000
10000000.11010000.00000010.10010111
11111111.11111111.10000000.00000000
10000000.11010000.00000000.00000000
10000000.11010000.10000000.00000000
© University of Melbourne 2021
28
Subnets
Network
EE
CS
Arts
Network
EE
CS
Arts
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Incoming
AND Arts Subnet Mask
Result
Arts Network
Subnet Mask
255.255.192.0
255.255.128.0
255.255.224.0
Network Address (binary)
10000000.11010000.00000000.00000000
10000000.11010000.10000000.00000000
10000000.11010000.01100000.00000000
Binary Subnet Mask
11111111.11111111.11000000.00000000
11111111.11111111.10000000.00000000
11111111.11111111.11100000.00000000
10000000.11010000.00000010.10010111
11111111.11111111.11100000.00000000
10000000.11010000.00000000.00000000
10000000.11010000.01100000.00000000
© University of Melbourne 2021
29
Subnets
Network
EE
CS
Arts
Network
EE
CS
Arts
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Prefix
128.208.0.0/18
128.208.128.0/17
128.208.96.0/19
Incoming
AND EE Subnet Mask
Result
EE Network
Subnet Mask
255.255.192.0
255.255.128.0
255.255.224.0
Network Address (binary)
10000000.11010000.00000000.00000000
10000000.11010000.10000000.00000000
10000000.11010000.01100000.00000000
Binary Subnet Mask
11111111.11111111.11000000.00000000
11111111.11111111.10000000.00000000
11111111.11111111.11100000.00000000
10000000.11010000.00000010.10010111
11111111.11111111.11000000.00000000
10000000.11010000.00000000.00000000
10000000.11010000.00000000.00000000
Match!
© University of Melbourne 2021
30
Subnets
• Future changes can be made without any external impact – No need to request additional IP address allocation
– Routingontheinternetdoesnotchange,onlyinternally
© University of Melbourne 2021
31
And finally…
• Attempts have been made to overcome the weaknesses of NAT
• Notably, Universal Plug and Play (UPnP)
• As internet use grew, the need for
home machines to act as servers grew – Gaming, chat, media players, etc.
• UPnP implements the Internet Gateway Device Protocol that allows port mappings to be created in the NAT translation table to allow servers to be run on the internal network
• Bad implementations of UPnP have allowed attackers to alter translation tables from external IP addresses
© University of Melbourne 2021
32
Acknowledgement
• The slides were adapted by Lachlan Andrew from those prepared by Chris Culnane based on material developed previously by: Michael Kirley, Zoltan Somogyi, Rao Kotagiri, James Bailey and Chris Leckie.
• Some of the images included in the notes were supplied as part of the teaching resources accompanying the text books listed in lecture 1.
© University of Melbourne 2021
33