Network virtualization

Network virtualization

Martin Černý, Jan Fürman

(Martin.Cerny@cesnet.cz, Jan.Furman@cesnet.cz)

Department of Computer Systems Faculty of Information Technologies Czech technical university in Prague © Martin Černý, Jan Fürman, 2010-2011

MI-MTI

Lecture content:

1) Virtualization basics

2) Virtual LAN

3) MPLS

4) Private networks and NAT

5) IP tunnels

Virtualization basics

● One physical infrastructure – several independent

logical networks

● we have powerful HW, but we need several “less

powerful” separate networks

● Historical evolve – ability of switch-ports physical

separation at first, and than trunks carrying several VLANs over one physical link

Virtual LAN

● Physical ports separation into several VLANs

● VLAN standard IEEE 802.1Q

● Saving of physical port connections

● There are also some others (proprietary) VLAN

802.1Q frame structure

● TPID (Tag Protocol Identifier) – 16 bits ... set to 0x8100, that identifies type

of the frame us 802.1Q

● PCP (Priority Code Point) – 3 bits ... used by QoS

● CFI (Canonical Format Indicator) – 1 bit ... determines the order (big/little

endian) of bytes in MAC addresses (ethernet 0, token-ring 1)

● VID (VLAN identifier) – 12 bits ... Numerical id of VLAN, the frame

belongs to

802.1Q - features

● Tagged frame has max. size of 1522 bytes – baby

giant (basic untagged ethernet frame has only 1518)

● Could be a problem with some old linux drivers and

during transmits over trunks across switches with no support of 802.1Q

● Possibility of definition of up to 4094 VLANs

(VLAN IDs 0 and 4095 are reserved)

● Native VLAN is carried in trunks untagged

Configuration example of 802.1Q - CISCO

Router: interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.101 encapsulation dot1Q 101 ip address 192.168.1.2 255.255.255.0 Switch: interface FastEthernet0/1

switchport trunk encapsulation dot1q switchport trunk native vlan 999

switchport trunk allowed vlan 1,101,102,1002-1005 switchport mode trunk

!

interface FastEthernet0/10 switchport access vlan 101 switchport mode access

Configuration example of 802.1Q - Linux

● Virtual interface is created (you can use it like any

other physical interface)

● Linux kernel must have support of 802.1Q (or you

can use loadable module 8021q)

#vconfig add eth0 101

MPLS – Multi Protocol Label Switching

(RFC 3031)

● Used mainly by ISPs for its data transfer speed

● Basic idea: IP routing (hungry of system resources)

is made only once during entrance to MPLS

network, after that packet is “routed” in the network using a simple tag (label), that is much quick and

effective

● Even in MPLS network there must be an IP routing

protocol running, that is used for IP prefix exchange among PE (Provider Edge) routers

MPLS

● CE (Customer Edge) ... router at client side, that connects client to MPLS network

● PE (Provider Edge) ... border router of MPLS network – used for packet labeling

P (Provider) ... core MPLS router (route packets according to labels)

MPLS

LDP – Label Distribution Protocol

(RFC 5036)

● Used to build MPLS forwarding tables and to create

LSP (Label Switch Path) - path through MPLS network

● In case of link failure route packets using backup

path (quicker convergence comparing to common IP routing protocols)

Placement of MPLS header (tag)

● MPLS is usually being called ISO OSI layer 2.5

● MPLS headers could be more than one (they forms

chain, example use are MPLS VLANs)

MPLS tag structure

● Exp. bits could carry QoS information

● S bit = 1 ... mean that this label is the last one and is

followed by L3 header

● TTL ... safety precaution against packet cycling

MPLS forwarding table

● Show mpls forwarding-table ... shows LFIB (Label

Forwarding Information Base) on Cisco device

MPLS services - VPN

● L3 VPN – routing of IP packets from defined source to defined

destination over MPLS network

● There is no encryption, just traffic separation from other users

MPLS services – TE (Traffic Engineering)

tunnels

● They allow to establish tunnels with defined

attributes (throughput, latency) over MPLS network

● RSVP (Resource Reservation Protocol) is used to

establish and control MPLS path with requested attributes

MPLS services – VPLS (Virtual Private

LAN Service)

● Interconnection of ethernet segments over MPLS at

layer 2 of ISO OSI model (pseudo-wire)

● RFC 4761, 4762

● MPLS backbone is seen like a switch from the

connected ethernet segments point of view

● 2 MPLS tags – forwarding and membership of given

VPLS network

● Generally higher reliability compared to WAN

MPLS – features

● MPLS network is able to carry different kinds of

traffic (IPv4, IPv6, ATM, SONET, FR, ...)

● MPLS usually carry just IP, or ethernet (EoMPLS)

● MPLS can be implemented over many different

common L2 technologies (ethernet, E1, ATM, DSL, FR, ...)

Private networks and NAT

● Internet is growing unstoppably (there are more than

300000 IP prefixes in global routing tables)

● IPv4 addresses are going to be depleted in several

years (now they are all allocated to RIRs)

● Solution:

● IPv6

● More efficient use of actual IP address range (return of ip addresses that are not used, ip address deals, ...)

Private IP networks

● Defined in RFC 1918

● These addresses are not Internet routable (core

routers should drop any packets with destination from these addresses ranges)

● 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)

● 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)

● 192.168.0.0/16 (192.168.0.0 – 192.168.255.255)

● Only for local ip addressing of inside network

NAT – Network Address Translation

● Generally means address translation M:N

● Translation 1:N is usually called masquerading

● If M!=N, then is necessary to alter (translate) also

UDP/TCP port numbers (NAPT, PAT)

● Enhanced security (in cooperation with FW) –

inside computers are not directly accessible from global Internet

● Opposite of basic concept of the Internet, where

mutual direct accessibility of all devices should be standard

NAT example configuration - CISCO

● Useful troubleshooting commands:

● show ip nat translations ● show ip nat statistic

interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside

ip nat inside source list 1 interface serial0 overload

access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 permit 10.10.20.0 0.0.0.255

NAT example configuration - Linux

● eth1 ... interface of the internal network

● eth0 ... interface of the external network

(Internet)

#echo 1 > /proc/sys/net/ipv4/ip_forward

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT

Interconnection of private networks over global

Internet (IP tunnels)

Tunneling protocols example

● GRE tunnel

● IPSec tunnel

● Other tunnels using transport over

GRE (Generic Routing Encapsulation) protocol

(RFC 1702)

● point-to-point tunnel

● IP protocol type 47

● GRE tunnel is able to carry various kinds of

packets (IPv4, IPv6, IPX, ...)

GRE protocol – packet structure

● C ... checksum present, R ... routing present, K ... key present, S ... sequence number present, s ... strict

source route

● Recur ... recursion control

● Flags ... reserved, must be set to 0

● Version ... version of GRE protocol – 0

● Protocol type ... type of the payload – like similar field in ethernet frames ● Offset ... header size when using source routing – not used

● Key ... data flow identification – does not have any security meaning !!! ● Sequence number ... can be used for packet reordering

Example configuration of GRE tunnel - CISCO

Router A: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode gre ip

Router B:

interface Tunnel0

ip address 10.0.0.2 255.255.255.0 tunnel source 192.168.2.1

tunnel destination 192.168.1.1 tunnel mode gre ip

Example configuration of GRE tunnel - Linux

# modprobe ip_gre

# ip tunnel add gretun mode gre local 192.168.1.1 remote 192.168.2.1 ttl 64 dev eth0

# ip address add dev gretun 10.0.0.1 peer 10.0.0.2/32 # ip link set dev gretun up

IPSec

● Standardized VPN protocol (RFC 4301, 4309)

● Enables authentication of the source and destination

(AH) and encryption of the transmitted data (ESP) – can be used individually, header chaining, ...

● Security framework – possibility to use various

encryption and hash algorithms

● Mutual authentication possibility using shared key

or X.509 certificate

AH (Authentication Header)

● Secure data integrity and source authentication

● Next hdr ... next header type ● AH len ... AH header length ● Reserved ... set to 0

● SPI ... number identifying SA (security association)

● Sequence number ... incremental order of sequence numbers – security against

packet spoofing

● Auth. Data ... cryptographic material for authentication purposes – variable length

ESP (Encapsulating Security Payload)

● ESP secures data integrity, authentication and

encryption

● Does not have influence to packet header (opposite

to AH) – but in tunnel mode is encrypted and thus protected whole packet including header

● SPI ... number identifying SA (security association)

● Sequence number ... increasing order of sequence

numbers – protection against packet spoofing

● Encrypted payload ... encrypted data (original

packet) including necessary cryptographic material

● Padding, pad len ... padding, length of padding

● Next header ... header type of encrypted packet

● Authentication data ... cryptographic material for

authentications purposes

SA (Security Association) a IKE (Internet Key Exchange)

● SA is group of attributes that clearly identifies IPSec data flow

(IP addresses, encryption and hash algorithms, SPI and others)

● SA is “one-way” - in order to secure encrypted communication

between two parties (nodes) it is necessary to establish two SA (one for each direction)

● Protocol IKE is used to establish SA – it is used to exchange and

setup attributes of encrypted connection (each node usually

supports more than one encryption mechanism and the choice of the best one supported by both parties is in charge of IKE)

● IKE communicates using UDP port 500 (usually it is an

Example IPSec configuration - CISCO

crypto isakmp policy 1 authentication pre-share

crypto isakmp key XXXXX address 10.201.0.2 !

crypto ipsec transform-set IPSec_transform ah-sha-hmac esp-aes !

crypto map CMap 10 ipsec-isakmp set peer 10.201.0.2

set transform-set IPSec_transform match address 101

!

interface Ethernet0/0

ip address 10.201.0.1 255.255.255.0 crypto map CMap

!

Other tunnels using transport over UDP/TCP/ICMP

● Usually proprietary, non-standardized solutions

● Highly flexible, broadly configurable

Examples of other tunnel systems

● VTUN (http://vtun.sourceforge.net/)

● Transport over UDP or TCP

● Data encryption and compression possibility

● Allows EoIP (EoUDP a EoTCP) tunnel establishment

● ICMPTX (http://thomer.com/icmptx/)

● Transport over ICMP

● TINC (http://www.tinc-vpn.org/)

Coexistence of IPv6 with IPv4

● Slow deployment of IPv6 – global operators does

not support it very much

● There appear separated IPv6 islands, that needs

IPv6 over IPv4 tunneling protocols

● Manually configurable ipv6ip tunnel

● Automatic IPv6oIPv4 tunnel – routers tunnel IPv6

Example configuration of IPv6 over IPv4 tunnel

protocol - CISCO

interface Tunnel0 no ip address ipv6 address 2001:db8:5678:1::2/64 ipv6 enable tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode ipv6ip