Network Address Translation, Network Partitioning and Virtual Private Network

I – Virtual Private Network

A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together. The VPN uses “virtual” connections routed through the Internet from the business’s private network to the remote site or employee. By using a VPN, businesses ensure security – anyone intercepting the encrypted data can’t read it.

There are two types of VPNs:
- Remote access VPN, it enables users working at home or on the road to access a server on a private network using the infrastructure provided by a public network, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization’s server.

Diagram from Microsoft Article on VPN

- Site-to-site VPN, it enables organizations to have routed connections between separate offices or with other organizations over a public network while helping to maintain secure communications. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. When networks are connected over the Internet, as shown in the following figure, a router forwards packets to another router across a VPN connection. To the routers, the VPN connection operates as a data-link layer link.

Diagram from Microsoft Article on VPN

Most VPNs rely on tunneling to create a private network that reaches across the Internet. Tunneling is the process of placing an entire packet within another packet before it’s transported over the Internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel. Tunneling requires three types of protocols:
- Passenger protocol : the original data (IPX, NetBeui, IP) that is carried over
- Encapsulating protocol : the protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data
- Carrier protocol : the protocol over which the information (in passenger protocol) is traveling


II – Network Address Translation

NAT is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device. It’s widely used for two purposes:
- Security Firewall, hide private network and outside host can’t access internal host directly
- Alleviating IP v4 address exhaustion, share the same public IP address among many internal hosts

How NAT works from Cisco

Types of NAT
- Static NAT: one to one mapping, IP is changed, but port not changed
- Dynamic NAT: M to N mapping, IP is changed, but port not changed
- Overloading: M to one mapping, IP and port is changed, but IP is always changed to the same one

Communicating between hosts both behind NAT
- Port Forward: translate the target ip/port of a IP packet to a new destination when NAT router processing incoming packets
- Nat Traversal: it enables any two nodes behind NAT device to communicate with each other

NAT traversal is a broad area where many technology and protocols are invented to solve the same problem. Traditional methods require the help of a third party host with public address, some recent technology requires the two communicating parties only.

One example is UDP hole punching: each host behind NAT communicate with a public server first to establish an address translation entry in their corresponding NAT router, the server then tell them about the remote peer’s ip/port information and now these two hosts can talk using UDP directly. This assumes that NAT router will not change the ip/port mapping when its established.

1. Anatomy: A Look Inside Network Address Translators (PDF version)
2. How NAT works @ HowStuffWorks3. RFC 1631 – The IP Network Address Translator (NAT)4. Autonomous NAT Traversal5. RFC5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)6. Skype Communication Protocol Internals7. UDP hole punching

III – Network Partitioning

A network partitioning failure splits the network into two or more disjoint parts. Processes of a network based application within the same part can communicate with each other, but they can’t communicate with processes located in other parts. It may caused by a failure of a cross boundary router device. Due to the tree structure network infrastructure, such failure only causes network partitioning, not whole network communication failure.

Strategies to handle network partitioning
- Replication, replicate data/process to several locations to tolerant network partitioning failure. To implement replication and keep consistency among replicas, typical required technologies are: multicast group communicating, message order ensuring and group membership management.
- Replicated data/process is good at serving immutable operations. To support mutable operations among replica while consistency is maintained (or making reconciliation easy to implement) when network partition happens, some other technologies are invented, such as: disjointed transaction, commutative transaction and time stamped transaction.
- Stop/Join policy, if partial unavailability is acceptable, we can design a system where disconnected (to primary process) non-primary process should stop serving when partitioning happen. These stopped process will join the serving group when connection is restored and then go through the new process joining group to catch up the updates happened during network partitioning.
- Fulfill transaction, in this technology, non-primary process will not stop serving, it will accept mutation request and put them into a queue. These non-primary process will catch up with primary and then apply queued requests after connection is restored.


1. Surviving Network Partitioning IEEE, 1998

No comments: