DHCP & NAT Flashcards
Communicating with IP
Three essential configuration elements, one really important
- IP address
- Subnet mask
- Gateway router
- A DNS server (useful to use the web but not necessary)
Problem:
- How do we get these values when we connect to a network (e.g. eduroam)
IP addresses: how to get one?
That’s actually two questions:
1.Q: How does a host get an IP address within its network (host part of address)?
2.Q: How does a network get an IP address for itself (network part of address)
How does a host get an IP address?
- hard-coded by sysadmin in config file (e.g., /etc/rc.config in UNIX)
- DHCP: Dynamic Host Configuration Protocol: dynamically get address from as server
* “plug-and-play”
Option 1: How to assign an IP address to a host?
Option 2: Dynamic assignment
DHCP: Dynamic Host Configuration Protocol
Goal: allow hosts to dynamically obtain their IP addresses from a network server when they join the network
¤ A host can renew its lease on the address in use
¤ Allows reuse of addresses (only holds address while connected/ “on”)
¤ Support for mobile users who want to join the network (more shortly)
¤ Plug-and-play
¤ Defined in RFC 2131
DHCP background
- Allows a computer to join an IP network without having a pre-configured IP address
¤ Runs over UDP/ IP
¤ Temporarily binds IP address and other parameters to DHCP client
¤ Provides framework for passing further configuration information to hosts - DHCP assigns a locally unique IP address
¤ Simplifies installation and configuration of end systems
¤ Allows for manual and automatic IP address assignment
¤ May provide additional configuration information
* DNS server, sub-netmask, default router, etc. - Used by
¤ Home networks, wifi hotspots, enterprise networks
DHCP components
- DHCP Server
- Assigned to specific network
- Configuration parameters
- Pool of available IP addresses
- Correct subnet masks
- Network gateway
- Name server addresses
- DHCP Databases
- 1st database for manual IP acquisition
- Permanently bound to hardware address
- 2nd database for pool of addresses
- Dynamically assigned on request (FCFS)
- 1st database for manual IP acquisition
- DHCP Clients
- Automatically retrieve DCHP settings
- Have to “speak” DHCP protocol
DHCP procedure
- Client broadcasts DHCP DISCOVER packet
¤ Server answers - DHCP servers lease addresses to clients
¤ Client sends request
¤ Server allocates address from an address pool
¤ Server adds client to (lease) database with timeout
¤ Server replies to client with address, servers, … - Client sends subsequent request to renew address lease
¤ After ½ the lease time client can renew the lease
¤ Provided not timed-out, server sends same address
DHCP client-server scenario
DHCP: more than IP addresses
- DHCP can return more than just allocated IP address on subnet:
¤ Address of first-hop router for client
¤ Name and IP address of DNS sever
¤ Network mask (indicating network versus host portion of address)
¤ Other configuration such as web proxy, network time server, network allocated hostname
DHCP leases
- Address Usage
¤ After address has expired client must stop using address and acquire a new address
¤ If there are more than one DHCP server client can select the best “offer” - Address Leases
¤ Manual Lease: Network manager explicitly assigns all IP addresses
¤ Automatic Lease: DHCP server permanently assigns some addresses and dynamically others
¤ Dynamic Lease: DHCP server dynamically assigns IP addresses for a specific period of time when permanent address is not required
DHCP Request (from home LAN)
DHCP Response (from home LAN)
DHCP message format
Message types
- DHCPDISCOVER: Broadcast by a client to find available DHCP servers
- DHCPOFFER: Response from a server to a DHCPDISCOVER and offering IP address and other parameters
- DHCPREQUEST: Message from a client to servers that does one of the following:
– Requests the parameters offered by one of the servers and declines all other offers
* Broadcast message
– Verifies a previously allocated address after a system or network change (a reboot for
example)
– Requests the extension of a lease on a particular address - DHCPACK: Acknowledgement from server to client with parameters, including IP address
- DHCPNACK: Negative acknowledgement from server to client, indicating that the client’s lease has expired or that a requested IP address is incorrect
- DHCPDECLINE: Message from client to server indicating that the offered address is already in use
- DHCPRELEASE: Message from client to server canceling remainder of a lease and relinquishing network address
- DHCPINFORM: Message from a client that already has an IP address (manually configured for example), requesting further configuration parameters from the DHCP server
DCHP: protocol in use
DHCP pros
- Relieves the network administrator of manual
configuration - Device can be moved from network to network and automatically obtain valid configuration parameters for the current network
- IP addresses are only allocated when needed
¤ It is possible to re-use IP addresses after lease
* Especially considering mobile clients, public wifi
¤ Conserve /reduce total number of addresses in use
DHCP limitations
- Server Issues
¤ A machine to run the DHCP server continually is required
¤ When DHCP server is unavailable, client is unable to access the enterprise’s network - Security Problems
¤ Uses UDP, an unreliable and insecure protocol
¤ DHCP is an unauthenticated protocol
* When connecting to a network, the user is not required to provide credentials in order to obtain a lease
* Malicious users with physical access to the DHCP-enabled network can instigate a denial-of-service attack on DHCP servers by requesting many leases from the server, thereby depleting the number of leases that are available to other DHCP clients - DNS cannot be used for DHCP configured hosts
IP addresses: how to get one?
Q: how does network get subnet part of IP address?
A: gets allocated portion of its provider ISP’s address space
Hierarchical addressing: route aggregation
hierarchical addressing allows efficient advertisement of routing information:
Hierarchical addressing: more specific routes
- Organization 1 moves from Fly-By-Night-ISP to ISPs-R-Us
- ISPs-R-Us now advertises a more specific route to Organization 1
NAT: Network Address Translation
What is the issue
- IPv4 address scarcity
¤ Hierarchical allocation (waste)
¤ IANA / RIPE have allocated all main blocks - Solutions include
¤ Network Address Translation (NAT)
¤ IP version 6 (IPv6) – bigger addresses!
NAT: network address translation
NAT Basic Idea
- Local network uses just one IP address as far as outside world is concerned:
¤ Range of addresses not needed from ISP
* Just one IP address for all devices
¤ Can change addresses of devices in local network without notifying outside world
¤ Can change ISP without changing addresses of devices in local network
¤ Devices inside local net not explicitly addressable, visible by outside world (a security plus)
NAT Implementation
- NAT router functionality
¤ Outgoing datagrams:
* replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #)
* remote clients/servers will respond using (NAT IP address, new port #) as destination addr- remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
¤ Incoming datagrams:
* replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table
- remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair
NAT Example
NAT Implications
- 16-bit port-number field:
¤ 60,000 simultaneous connections with a single LAN-side address! - NAT is controversial:
¤ routers should only process up to layer 3
¤ address shortage should be solved by IPv6
¤ violates end-to-end argument- NAT possibility must be taken into account by app designers, e.g., P2P applications
¤ NAT traversal: what if client wants to connect to server behind NAT?
- NAT possibility must be taken into account by app designers, e.g., P2P applications
- Performance/scalability issues
– Per flow state!
– Modifying IP and Port numbers means NAT must re-compute IP and TCP checksums - Breaks the layered network abstraction
- Breaks end-to-end Internet connectivity
– Problem is worse when both communicating hosts are behind NATs!
NAT Implications (Natural firewall)
- A NAT only allows incoming packets from IP addresses where there is an entry in the NAT translation table (i.e., the connection must be originally initiated from within the LAN).
Connecting two hosts behind a NAT
- NAT hole punching
- Uses a relay to communicate
- Much simpler with UDP
