Solutions for the Internet

In previous notes we have seen how the Internet was conceived as a routed network, with packets travelling from end-to-end.

We have also seen how due to IP address exhaustion, that techniques such as NAT have broken this model. But with certain caveats, it all still works!

Modern business has different requirements from the idealised model above. Most Enterprise LANs operate using RFC 1918 addresses, using NAT to access public sites on the Internet. The device performing the NAT keeps a lookup table of source and destination addresses and ports. By default, packets with RFC 1918 addresses will be dropped by Internet routers, they should never be seen on the Internet.

But how can we provide for end-to-end connectivity between RFC 1918 based LANs? If we have direct connectivity, this would be simple. One way we can get direct connectivity, is to create a tunnel across the Internet. We could also use this approach to mitigate the security challenges of running business traffic across a public network.

Typically, an IPsec tunnel is provisioned from site to site. From each site, it appears that the networks are connected via a router. There is no visibility to or from the Internet unless it is separately provisioned.