1

Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast,

Gateways and Firewalls, Gateways and Firewalls, VPNsVPNs

JeanJean--Yves Le BoudecYves Le BoudecFall 2009Fall 2009

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

2

Part 1: FirewallsTCP/IP architecture separates hosts and routers

network = packet transportation onlyprivate networks may want more protection

“access control”one component is a firewall

definition: a firewall is a system thatseparates Internet from intranet: all traffic must go through firewallonly authorized traffic may go throughfirewall itself cannot be penetrated

Components of a firewallfiltering routerapplication or transport gateway

3

Filtering RoutersA router sees all packets and may do more than packet forwarding as defined by IP

filtering rules based on : port numbers, protocol type, control bits in TCP header (SYN packets)

Example

filtering router

prot srce addr dest addr srce dest actionport port

1 tcp * 198.87.9.2 >1023 23 permit2 tcp * 198.87.9.3 >1023 25 permit3 tcp 129.132.100.7 198.87.9.2 >1023 119 permit4 * * * * * deny

intranet Internet

4

The example show 4 rules applied to the ports shown

- rule 1 allows telnet connections from the outside to the machine 198.87.9.2

- rule 2 allows email to be sent to machine 198.87.9.3

- rule 3 allows news to be sent to machine 198.87.9.2, but only from machine 129.132.100.7

- rule 4 forbids all other packets.

Designing the set of rules employed in a firewall is a complex task; the set shown on the picture is much simpler than a real configuration.

Packet filtering alone offers little protection because it is difficult to design a safe set of rules and at the same time offer full service to the intranet users.

5

Application Layer GatewaysApplication layer gateway is a layer 7 intermediate system

normally not used according to the TCP/IP architecturebut mainly used for access controlalso used for interworking issues

Principle:proxy principle: viewed by client as a server and by server as a clientsupports access control restrictions, authentication, encryption, etc

HTTPserver

HTTPclient

gatewaylogic

TCP/IPTCP/IP

HTTPclient

TCP/IP

HTTPserver

HTTP Gateway

1 GET xxx.. 2 GET xxx..

3 data4 data

intranet Internet

AB

6

1. User at A sends an HTTP request. It is not sent to the final destination but to the application layer gateway. This results from the configuration at the client.

2. The gateway checks whether the transaction is authorized. Encryption may be performed. Then the HTTP request is issued again from the gateway to B as though it would be originating from A.

3. A response comes from B, probably under the form of a MIME header and data. The gateway may also check the data, possibly decrypt, or reject the data.

4. If it accepts to pass it further, it is sent to A as though it would be coming from B.

Application layer gateways can be made for all application level protocols. They can be used for access control, but also for interworking, for example between IPv4 and IPv6.

7

Transport GatewaySimilar to application gateways but at the level of TCP connections

independent of application coderequires client software to be aware of the gateway

Transport Gateway

(SOCKS Server)

1 GET xxx..

data

:1080 SYN

ACK

SYN ACK

SYN ACK

A

B

:80 SYN

connection relay requestto B :80

ACK

data relay

OK

1

2 3

4

8

The transport gateway is a layer 4 intermediate system. The example shows the SOCKS gateways. SOKCS is a standard being defined by the IETF.

1. A opens a TCP connection to the gateway. The destination port is the well known SOCKS server port 1080.

2. A requests from the SOCKS server the opening of a TCP connection to B. A indicates the destination port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection request.

3. The SOCKS server opens a new TCP connection to B, port 80. A is informed that the connection is opened with success.

4. Data between A and B is relayed at the SOCKS server transparently. However, there are two distinct TCP connections with their own, distinct ack and sequence numbers.

Compared to an application layer gateway, the SOCKS server is simpler because it is not involved in application layer data units; after the connection setup phase, it acts on a packet by packet level. Its performance is thus higher.

However, it requires the client side to be aware of the gateway: it is not transparent. Netscape and Microsoft browsers support SOCKS gateways.

9

An application / transport gateway alone can be used as firewall if it is the only border between two networks

A more general design is one or more gateways isolated by filtering routers

Typical Firewalls Designs

intranet Internet

Firewall =one dual homed gateway

intranet Internet

Firewall =gateways + sacrificial subnet

R2R1

10

Part 2:Part 2:Connection Oriented NetworkingConnection Oriented Networking

MPLS and ATMMPLS and ATM

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

11

Contents1. Connection Oriented network layer. ATM

2 .MPLS (Multi Protocol Label Switching)

12

1. Frame Relay, ATMThere exists a family of data networks which is very different from IP : carrier data networks

Frame Relay, ATM, X.25They use the Connection Oriented Network LayerThey were designed to be an alternative to IP

Failed in this goalUsed today as “super Ethernet” in IP backbones or at interconnection pointsBeing replaced by MPLS

13

Connection Oriented Network Layer :Frame Relay, ATM, X.25

Host A

Host B

2 1

2

21

13

Host C

SwitchS1

SwitchS3

SwitchS4

SwitchS2

3

inputconn Idoutputconn Id

3 31 22 21 2

inputconn Idoutputconn Id

1 11 24 31 1

inputconn Idoutputconn Id

1121

4

2

14

Connection oriented = similar to telephone. Connections are also called virtual circuits.The connection oriented network layer uses connections that are known and controlled in all intermediate systems. Every packet carries a connection identifier which is either global (SNA) or local to a link (X.25, Frame Relay, ATM).

The packet forwarding function is simple, based on table lookup.The control method involves

connection setup and release(building tables)connection routing

Connection oriented networks usually implement some mechanisms to control the amount of data sent on one connection, thus limiting losses due to statistical multiplexing. Methods for that are: sliding window protocol, similar to that of TCP (X.25, SNA), and rate control (Frame Relay , ATM).

Connection oriented networks give better control over individual traffic flows and are thus used in public networks where tariffing is a key issue (X.25, Frame Relay). IBM network architectures are also connection oriented (SNA, APPN). ATM is a connection oriented network where emphasis is put on supporting both statistical multiplexing and non- statistical multiplexing. ATM packets have a small, fixed size and are called cells.

15

ATMATM is a connection oriented network architectureATM packets (called cells) are small and fixed size (48 bytes of data + 5 bytes of header)

high performance at low costdesigned for very low delayAnd for hrdware implementation of switching functions

The ATM connection identifier is called VPI/VCI (Virtual Path Identifier/Virtual Channel Identifier)Frame relay is the same but with packets of variable size (up to 1500 B payload)

16

ATM VPI/VCI switching

in VPI/VCI out VPI/VCI

1 27 2 441 19 16 38

2719

44

38

1

16

1

16

2

ATM cellsheader contains VPI/VCI

17

ATM Adaption Layer

ATM can transport packets of size up to 64 KBATM Adaptation Layer segments and re-assembles

in ATM end points only

AAL5in ATM adapter

AAL5in ATM adapter

variable length packet

cells

ATM switchesAAL5

in ATM adapter

AAL5in ATM adapter

18

IP over ATM: Classical IPclassical IP uses ATM as a fast EthernetATMARP finds ATM address

Like a telephone number, similar to IPv6 address --- not a VPI/VCI

InARP finds VPI/VCI

ARP Server(Address Resolution)

ATM

H1 H2

Router Router1. AddressResolution

2. VCC

S

An ATMARP server is used:

-H1 connects to S at boot time, by calling the ATM address of the ATMARP server

- with InARP, S and H1 identify their IP addresses

- when H1 has to send an IP packet to H2, it must find the ATM address of H2. H1 sends an ATMARP request to S. S responds with the ATM address of H2. H1 calls H2. When an ATM connection is established, InARP is used to confirm the IP addresses.

19

Why ATM ?Simplifies routing in large networks

IP needs very large routing tables in the core networkfor every packet look up more that 100 000 entries forwarding from the ISP point of view - just find the egress router

IP routing may ignore the real physical topology ISP can put a router on the edge and use ATM/Frame Relay Virtual Path, switches in the middleedge router selects the path based on the destination address route look up done only once in the ISP network but still scalability problems

Quality of Service ATM can natively provide guaranteed service (allocate different rates to different ATM connections)Used to share infrastructure (several operators or one network – virtual providers)Also used to multiplex many users on an access network (cable, wireless)

20

2. MPLS

IP over MPLSIP over MPLS

“Multi-Protocol Label Swapping”Goal: integrate IP and CO layer in the same concept

“peer model” of integrationUnlike ATM or FR (used as layer 2 by IP)Save one network

MPLS packets have a label added before IP headerAn MPLS node acts as a combined router / CO intermediate system

MPLS table combines routing and label swapping

MPLS node• CO switch• IP router

21

MPLS example

in out

a/33 b/37

ad

bc

src dst out

* 129.88/16 b/28* 128.178/15 b/2818/8 129.88/16 b/30

src dst out

* 128.178/15 b/70* 129.88/16 b/70

a b

a b

in out

a/70 b/25d/28 b/25d/30 c/33

in out

a/25 b/77

in out

a/77 b/popc/37 b/pop

a b

a b

ac

b

129.88/16

128.178/15

FEC skipped in LIB

28 129.88.38.1 25 129.88.38.1 77 129.88.38.1 129.88.38.1src= 122.1.2.3

30 129.88.3.3 33 129.88.3.3 129.88.3.3 129.88.3.337src= 18.1.2.3

A

BC

E

FD9

7

8

1 23

4

56

22

1. An IP packet arrives, at MPLS node B, with source IP address 18.1.2.3 and destination IP address 129.88.3.3. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 30 in front of the IP packet and forward the packet to port b.

2. The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 33 and the packet forwarded to port c.

3. Similar4. The packet arrives at node F. The table says that a packet arriving on port c with label 37

should be sent to port b and the label should be popped (removed).5. The packet exits as an ordinary IP packet, without MPLS label.6. An IP packet arrives, at MPLS node B, with source IP address 122.1.2.3 and destination IP

address 129.88.38.1. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 28 in front of the IP packet and forward the packet to port b.

7. The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 77 and the packet forwarded to port b.

8. The packet’s label was removed by node F9. Observe how after node C this packet’s path follows the same as the previous packet’s.

23

MPLS Terminology

LSR (Label Switch Router)Ingress LER (Label Edge Router)

Egress LER (Label Edge Router)

LIB (Label Information Base)

129.88/16

FEC (Forward Equivalence Class)

128.178/15

FEC in out

xxx a/70 b/25yyy c/28 d/33

LSP (Label Switched Path)

ac

bd

src dst out

* 128.178/15 b/7018/8 129.88/16 b/28

FEC - Label Mapping

24

Operation of MPLS

ingress LER classifies packets to identify FEC that determines a label; inserts the label (32 bits)

Labels may be stacked on top of labels LSR switches based on the label if present, else uses IP routingForwarding Equivalence Classes (FEC)

group of IP packets, forwarded in the same manner, over the same path, and with the same forwarding treatment (priority)FEC may correspond to

destination IP subnetsource and destination IP subnet traffic class that LER considers significant

Label Switching tables can be built using a Label Distribution Protocol, which can be implemented as an addition to the routing protocol (e.g. OSPF, IGMP, BGP)

25

Avoid Redistribution with MPLSAS x

AS y

AS z

E-BGP

Alternative to redistribution or running I-BGP in all backbone routers:

Associate MPLS labels to exit points

Example:R2 creates a label switched path to 2.2.2.2At R2: Packets to 18.1/6 are associated with this label R1 runs only IGP and MPLS – no BGP – only very small routing tablesCan be used to provide quality of service

E-BGP

R4

R1

R2

R5 R6

18.1/16 I-BGP

MPLS

IGPMPLS

2.2.2.22.2.20.1

To NEXT-HOP layer-2 addr18.1/16 2.2.2.2 MPLS label 23

RIB and LIB at R2

26

Facts to rememberThere are other, non IP network layers that are connection orientedWith a CO network, there are connections and labels

Labels have only local significance, may be changed at every hopThey are used to carry IP traffic or telephony or to separate servicesATM is used as “super layer 2”MPLS is similar but is combined at the networking layer

27

Part 3: IP Multicast

ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE

La durée d'écoute est désormais limitée : sans action de votre part (un

simple clic), la diffusion s'arrête au bout d'un temps déterminé selon les

stations. En effet, pour nous, diffuseurs, les technologies actuelles

imposent un coût dépendant de la durée et du nombre d'auditeurs.

Plusieurs éléments nous indiquent que les internautes ayant accès à

l'internet illimité ne coupent pas l'écoute, lorsqu'ils quittent leur ordinateur

allumé. Radio France ne peut continuer à financer pour celui qui n'écoute

pas. C'est pourquoi nous avons mis en place ce système de confirmation,

un peu contraignant, mais qui nous permet de mieux contrôler les coûts de

diffusion.

La durée d'écoute est désormais limitée : sans action de votre part (un

simple clic), la diffusion s'arrête au bout d'un temps déterminé selon les

stations. En effet, pour nous, diffuseurs, les technologies actuelles

imposent un coût dépendant de la durée et du nombre d'auditeurs.

Plusieurs éléments nous indiquent que les internautes ayant accès à

l'internet illimité ne coupent pas l'écoute, lorsqu'ils quittent leur ordinateur

allumé. Radio France ne peut continuer à financer pour celui qui n'écoute

pas. C'est pourquoi nous avons mis en place ce système de confirmation,

un peu contraignant, mais qui nous permet de mieux contrôler les coûts de

diffusion.

http://viphttp.yacast.net/V4/radiofrance/fip_bd.m3u

28

Contents1. Multicast IP

2. Multicast routing protocols3. Deployment

29

1. Internet (initial) group modelMulticast/group communication

1 → n as well as n → mMulticast addresses, IPv4

224.0.0.0 to 239.255.255.255232/8 reserved for SSM (see later)224/4

Multicast address, IPv6FF00::/8

A multicast address is the logical identifier of a group

No topological information, does not give any information about where the destinations (listeners) areRouters keep have to keep state information for each multicast address

host 1

194.199.25.100194.199.25.100sourcesource

host 3

receiverreceiver133.121.11.22133.121.11.22

host 2

receiverreceiver194.199.25.101194.199.25.101

multicast group225.1.2.3

30

Internet (initial) group modelOpen model

any host may belong to a multicast groupno authorization required

host may belong to many different groupsno restriction

source may send a packet to a group no matter if it belongs to the group or not

membership not requiredgroup is dynamic

a host may subscribe or leave at any timehost (source/receiver) does not know the identity of group members

Groups may have different scopeuse TTL: LAN (local scope), Campus/admin scoping

31

IP Multicast Principles

hosts subscribe via IGMP join messages sent to routerrouters build distribution tree via multicast routingsources do not know who destinations arepacket multiplication is done by routers

1 S sends packets to multicast address m; there is no member, the data is simply lost at router R5.

2 A joins the multicast address m.3 R1 informs the rest of the network that

m has a member at R1; the multicast routing protocol builds a tree. Data sent by S now reach A.

4 B joins the multicast address m.5 R4 informs the rest of the network that

m has a member at R4; the multicast routing protocol adds branches to the tree. Data sent by S now reach both A and B.

1 S sends packets to multicast address m; there is no member, the data is simply lost at router R5.

2 A joins the multicast address m.3 R1 informs the rest of the network that

m has a member at R1; the multicast routing protocol builds a tree. Data sent by S now reach A.

4 B joins the multicast address m.5 R4 informs the rest of the network that

m has a member at R4; the multicast routing protocol adds branches to the tree. Data sent by S now reach both A and B.

R5R1

R2

R4

A

B

Sto m

1

IGMP: join m

2

4

3

5

5

Multicast routing

32

Using Multicast with IPv4 SocketsCan only use UDP, does not work with TCPSet TTL carefullySending to a multicast address: nothing special to do

Same as sending a packet to unicast address

Destination has to join explicitlysupported by socket option

in in.h:struct ip_mreq {struct in_addr imr_multiaddr;

/* IP multicast address of group */struct in_addr imr_interface;

/* local IP address of interface */};

struct ip_mreq mreq;rc = setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP,

(void *) &mreq, sizeof(mreq) );

IN_MULTICAST(a) tests whether a is a multicast address

33

Source Specific Multicast (SSM)

The IP multicast model supports many to manynetwork (multicast routing) must find all sources and route from them

A proposed alternative called SSM (Source Specific Multicast) multicast group - a channel identified by:

{@source, @multicast}single-source model

{S, M} and {S’, M} are disjointonly S can send some traffic to {S, M}

destinations have to find who the sources are, not the networkhost must learn source address out of band (Web page)

n → m still possible with many 1 → n channelsrequires source selection (host-to-router source and group request)

Include-Source list of IGMPv3MLD (Multicast Listener Discovery for IPv6), replacement of IGMP for IPv6

IANA assigned 232/8 and FF3X::/96

2. Multicast Routing

There are many multicast routing protocols to choose fromWhat is the job ?

For every multicast address, build a shared distribution tree

This is (too) complex A much simpler situation arises if we support only SSM

34

PIM-SSM

35

JOIN (A, G) announced with IGMP

A

B

D

EF

C

PIM JOIN (A,G)

Channel (A, G) built between source and receiver

PIM-SSM= « Protocol Independent Multicast- Source Specific Multicast »The « routing protocol » proposed for SSMRouter keeps (S, G) state for each source S and each multicast group address GTree is built by using unicast routing tables towards the source

PIM-JOIN messages sent from one router to upstream neighbour

There is no Path Computation algorithm, relies on routing tables built by unicast routing protocols

36

3. DeploymentIP multicast is implemented on research networks (Switch, Geant, etc)Also used by specific environments (e.g. financial)Not generally available (yet) to the general public in its general formSSM multicast deployments are starting

Tunneling can be used to connect a non multicast capable network to a multicast capable one (MBONE)

within a multicast area: native multicastin a tunnel: muticast packets are encapsulated in unicast IP packets

37

multicast routersmulticast routers

sourcereceiver

encapsulationdst = unicast @R2

decapsulation

R2R1

IP dest=adr_R2 IP dest=mcast payload

original packet

unicast only routers

38

There is not only IP Multicast …Multicast can be performed at application layer

On a network offering no IP multicast support (today’s internet)Examples: content distribution networks

Source

CDN node 1

CDN node 3

CDN node 4

CDN node 2

39

Facts to remember

IP multicast allows to reduce traffic by controlled packet replicationMulticast routers are “stateful”Initial multicast allows any source to send to a multicast address

Routing is complex

Source specific multicast is simpler to deployApplication layer multicast can be used even without IP multicastMulticast IP does not work with TCP

Ad-hoc “reliable multicast” protocols were developed

40

Part 4Part 4Protocol Aspects of SecurityProtocol Aspects of Security

ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

41

Protocol Aspects of SecuritySecurity is a global issue, not covered in this lectureWe discuss here how security impacts the architecture, and the relation between layersWe review two examples

sshIPSEC and VPNs

42

Anatomy of an SSH example

9876

EmailUser Agent

TCP

IP

TCP

IP

S

POPserver

110

IPnetwork

First look at the configuration without SSHEmail user agent connects to POP server110 is the TCP port reserved for POP9876 is a ephemral port allocated to email user agent by the operating system

1

A

pop

43

Anatomy of an SSH example (2)

9876

EmailUser Agent

TCP

IP

TCP

IP

S

POPserver

110

IPnetwork

1

A

pop

ssh

1234 3456 22

sshd

44

Anatomy of an SSH example (2)

9876

EmailUser Agent

TCP

IP

TCP

IP

S

POPserver

110

IPnetwork

1

A

pop

ssh

1234 3456 22

sshd

Assume A wants to use SSH to connect to the mail server S, using POPQ1: Why would A want this ?A1: to make sure that email between A and S is encrypted. Or because S is behind a firewall that does not accept TCP connections to ports other than ssh.Q2: describe the content of a packet from A to B visible at point 1.A2: contains an encrypted block of data inside a TCP packet with srce port=22, dest port=3456, IP srce=A, IP dest=S

back

45

Assume A wants to use SSH to connect to the mail server S, using POPQ1: Why would A want this ?sshd is the ssh “daemon”, i.e the ssh server. It runs on S in this example. sshd listens to the well known port 22, reserved for ssh.The user at A starts an ssh connection to S by launching the ssh client. The ssh client obtains a port number from the operating system (here: 3456). A opens a TCP connection from port 3456 to S, destination port 22. A can talk to S over this TCP connection (for example, the user at A can issue commands on S).(port redirection) ssh at A opens a server port 1234. All packets received by ssh at A on port 1234 from localhost (green line) are sent to S, received by sshd at S, and sent again to S locally, to port 22. The user must decide which port on A is redirected to which port on S. The mapping so constructed is called an “SSH tunnel”The email user agent at A must be instructed to connect to a POP server at IP address = localhost and server port number = 1234The traffic on the red TCP connection between A and S is encrypted. Different connections (called “channels”) can be multiplexed on one single TCP connection between A and S. ssh implements a sliding window protocol on top of TCP, with fixed window size, one window per channel Q2: describe the content of a packet from A to B visible at point 1.

This is only one specific example, there are many other possibilities. This example is redirection of local port (ssh on A redirects the port 1234 on A to 110 on S). It is possible to redirect a remote port as well, and UDP traffic can be redirected as well.solution

46

ssh-connect

Multiple channels multiplexed into a single connection at the ssh-trans levelChannels identified by numbers on each endChannels are flow-controlled

window size - amount of data to send

CHANNEL_OPEN (id, w)

ssh sshd

CHANNEL_CONFIRM (id, w)

CHANNEL_DATA (id)

CHANNEL_WINDOW (id, w1)

47

IPSEC and VPNsOffers protection transparent to applicationsUsed to run applications designed for secure environment over unsecure one

example: WLAN access to EPFL networkexample: video player to screen

Providesauthentication (AH header)or authentication and confidentiality (ESP header)

used primarily today in tunnel modehost to host mode also existsbasic building block for VPN

48

IPSEC Tunnel Mode: Find Out how it works

VPNRouter(IPSec server)

wireless LAN

IP hdr IP dataESP hdrIP hdr

encrypted

IP hdr IP data

Ethernet adapter Wireless Network Connection:Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 192.168.1.33Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 2:Connection-specific DNS Suffix . : epfl.chIP Address. . . . . . . . . . . . : 128.178.83.22Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 128.178.83.22

Ethernet adapter Wireless Network Connection:Connection-specific DNS Suffix . :IP Address. . . . . . . . . . . . : 192.168.1.33Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.1.1

Ethernet adapter Local Area Connection 2:Connection-specific DNS Suffix . : epfl.chIP Address. . . . . . . . . . . . : 128.178.83.22Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 128.178.83.22

A

EPFL

B

49

IPSEC Tunnel Mode: Find Out how it works --Hints

What subnet does the secondary IP address 128.178.83.22 belong to ?Host A has now two IP addresses. Why ? How are they used ?What IP source address does an application on A use ?Explain how packets from host B to host A find their way.

solutions

50

IPSEC Tunnel Mode: Find Out how it works --Solutions

What subnet does the secondary IP address 128.178.83.22 belong to ?it is an EPFL subnet. The VPN router belongs to it.

Host A has now two IP addresses. Why ? How are they used ?IP packets are generated by applications at A with source address 128.178.83.22, encrypted and encapsulated in IP packets with source address 192.168.1.33. This is a tunnel (= there is encapsulation ) . At the end of thetunnel, the VPN router decrypts the packets, and places them on the EPFL network

What IP source address does an application on A use ?the EPFL address 128.178.83.22

Explain how packets from host B to host A find their way.The VPN router must perform proxy ARP – otherwise, same as access over a modem (see slide « Proxy ARP »).

back