1/28/2009

The Translator

Progress. I started off with NAT from Jeff Doyle's Vol-II. I like long distance running and it's been my experience that the first mile is always the hardest. In that sense, I'm still within the first 100 meters of the race, but I'm just happy to see my feet move. I started with NAT mainly because the technology is relatively independent. The plan is to master each technology as I go and try and know every aspect.
Over the last 2 days, I got to reading up the introductory parts of NAT. Some things I thought that were worth recording on the blog were:
The NAT address types
  1. Inside Local (IL): Internal private addresses, as they appears LOCALLY within the Enterprise
  2. Inside Global (IG): Public IP addresses of translated Internal addresses, that appear GLOBALLY
  3. Outside Local (OL): Public IP addresses - translated inside; as it appear LOCALLY within the Enterprise
  4. Outside Global (OG): Public internet IP addresses as they appear GLOBALLY.

Commands:
sh ip nat translations
They show the dynamic and static translation table. Dynamic translations are caused by the many-to-1 and 1-to-many NAT translations. They typically timeout in 24 hours. This time can be specified by:
ip nat translation timeout <>

It's interesting that Doyle points out two CIDR issues alleviated by NAT.

1. ISP dependence - Kinda obvious
2. Multihomed ISP, address advertisement issues.
This is interesting because if you were an Enterprise and were multihomed to two ISPs and were given a more specific subnet from the ISP's IP address space, how would you possibly advertise it through the other ISP?
Even if you got ISP2 advertise ISP1's (more specific)subnet, ISP1 can no longer advertise the less specific subnet (because ISP2 is also broadcasting the Enterprise's subnet). This can cause the route to be lost, as some national ISPs filter out subnets that are higher than /19. Doyle suggests having the enterprise use RFC1918 addresses and NAT then to both ISPs at the edge.

The other interesting uses of NAT were:
Port address translation. Overloading a single IP to represent more than 1 address by translating the source port and not just the IP
TCP load balancing: NAT based server load balancing by translating one IG address to a farm of IL addresses (NAT supports only Round-Robin and has no way to determine server health)
Service based Translation: NAT can route traffic into the Enterprise based on the destination port. Therefore the same IG address can be mapped to different IL addresses based on the destination port.

As awesome as NAT is, it is not without limits. Some more interesting facts about how NAT works with certain types of traffic:

Checksum: When the IP is translated, the IP header get messed up. When the port is translated, the TCP header gets messed up. Cisco's implementation of NAT recalculates the headers and all is well

Fragmentation: For the instance of using virtual servers that are NATted to different IL's based on the destination port, what happens if say, a packet destined to the SMTP (port 25) arrives fragmented? The first fragment is the only one that has the details of the port. Thankfully, Cisco's implementation of NAT maintains state. But what if - given the nature of IP- the fragments arrive out of sequence? Well, then, there is no other option but to buffer the fragments until the first one arrives.

Encryption: NAT should always be done before encryption

Some protocols carry IP addresses in the data field. Cisco's implementation of NAT works as follows for :

(i) ICMP: Some ICMP messages include the IP Header of the packet that caused the message to be generated (3,4,5,11 & 12).
(ii) DNS: Rule of thumb is that the Master and slave must reside on the same side of the NAT (Zone transfer across a NAT is not supported). However, an IP address in a DNS query or response is NATted.
(iii) FTP: Everyone's favourite! In short, Cisco's NAT translates the IP address within the PORT or PASV command. (PORT is the command the host sends the server informing the server of the port to which it should connect for Active FTP and PASV is the command the host sends the server requesting it to open up a passive Data port to connect to). The most interesting fact for me was that during FTP, the IP could be transmitted as ASCII data rather than the binary. This implies, an IP address NAT within the data could result in a size change ( if 10.1.1.1 gets translated to 235.123.178.222!!). Cisco's NAT handles it pretty artfully. If the translated IP address is smaller than the original, NAT pads 0's. But if the size is higher, it gets a little more complex. This is because, the SEQ & ACK numbers are directly related to size of the data field. Cisco's NAT handles it by recalculatin these numbers.
(iv) SMTP: No problems here. Cisco's NAT makes the appropriate translations. Worth noting here is that IMAP and POP are strictly client-server protocols (unlike SMTP) and hence always use a hostname (never IP addresses).
(v) SNMP: There can be many IPs in the data fields for the different MIBS in different formats. NAT does not translate these. (this does not imply that an SNMP request cannot traverse a NAT, only the IPs within the SNMP data field are not translated)
(vi) Routing Protocols: No routing protocol packets should traverse a NAT boundary in which the advertised IPs change. Routing protocols are rich and complex just like SNMP fields.
(vii) Traceroute: Uses ICMP type 11 (Time Exceeded) which NAT handles as seen in the ICMP section or UDP, which also NAT handles.

I'll leave you with this:
Many critics, no defenders,
translators have but two regrets:
when we hit, no one remembers,
when we miss, no one forgets.
-Anonymous

- A.C

1/27/2009

Do not go gentle into that good night

I am going to get my CCIE number. This blog is part of my study-tool. I passed the written late August 2008. Since then, I haven't done ANY studying. This first post is the first step. Here is my initial study plan for the lab. Broadly:
  • Jeff Doyle - Volume II, Until end of February
  • Purchase Narbik Kocharian's Advanced Tech Workbook - End of Feb
  • Work through it using Dynamips
  • Start IE's self-paced course sometime in May/June
I plan to devote around 20 minutes a day to this blog - during lunch, at work to record the previous day's progress/lack-off. I want to be realistic about my goals and will post a study routine, once I get into a groove. For now, I'm bracing myself and plunging in.
............. Welcome to my journey.
-Aspiring Candidate