Network virtualization
Martin Černý, Jan Fürman
(Martin.Cerny@cesnet.cz, Jan.Furman@cesnet.cz)
Department of Computer Systems Faculty of Information Technologies Czech technical university in Prague © Martin Černý, Jan Fürman, 2010-2011
MI-MTI
Lecture content:
1) Virtualization basics
2) Virtual LAN
3) MPLS
4) Private networks and NAT
5) IP tunnels
Virtualization basics
● One physical infrastructure – several independent
logical networks
● we have powerful HW, but we need several “less
powerful” separate networks
● Historical evolve – ability of switch-ports physical
separation at first, and than trunks carrying several VLANs over one physical link
Virtual LAN
● Physical ports separation into several VLANs
● VLAN standard IEEE 802.1Q
● Saving of physical port connections
● There are also some others (proprietary) VLAN
802.1Q frame structure
● TPID (Tag Protocol Identifier) – 16 bits ... set to 0x8100, that identifies type
of the frame us 802.1Q
● PCP (Priority Code Point) – 3 bits ... used by QoS
● CFI (Canonical Format Indicator) – 1 bit ... determines the order (big/little
endian) of bytes in MAC addresses (ethernet 0, token-ring 1)
● VID (VLAN identifier) – 12 bits ... Numerical id of VLAN, the frame
belongs to
802.1Q - features
● Tagged frame has max. size of 1522 bytes – baby
giant (basic untagged ethernet frame has only 1518)
● Could be a problem with some old linux drivers and
during transmits over trunks across switches with no support of 802.1Q
● Possibility of definition of up to 4094 VLANs
(VLAN IDs 0 and 4095 are reserved)
● Native VLAN is carried in trunks untagged
Configuration example of 802.1Q - CISCO
Router: interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.101 encapsulation dot1Q 101 ip address 192.168.1.2 255.255.255.0 Switch: interface FastEthernet0/1switchport trunk encapsulation dot1q switchport trunk native vlan 999
switchport trunk allowed vlan 1,101,102,1002-1005 switchport mode trunk
!
interface FastEthernet0/10 switchport access vlan 101 switchport mode access
Configuration example of 802.1Q - Linux
● Virtual interface is created (you can use it like any
other physical interface)
● Linux kernel must have support of 802.1Q (or you
can use loadable module 8021q)
#vconfig add eth0 101
MPLS – Multi Protocol Label Switching
(RFC 3031)
● Used mainly by ISPs for its data transfer speed
● Basic idea: IP routing (hungry of system resources)
is made only once during entrance to MPLS
network, after that packet is “routed” in the network using a simple tag (label), that is much quick and
effective
● Even in MPLS network there must be an IP routing
protocol running, that is used for IP prefix exchange among PE (Provider Edge) routers
MPLS
● CE (Customer Edge) ... router at client side, that connects client to MPLS network
● PE (Provider Edge) ... border router of MPLS network – used for packet labeling
P (Provider) ... core MPLS router (route packets according to labels)
MPLS
LDP – Label Distribution Protocol
(RFC 5036)
● Used to build MPLS forwarding tables and to create
LSP (Label Switch Path) - path through MPLS network
● In case of link failure route packets using backup
path (quicker convergence comparing to common IP routing protocols)
Placement of MPLS header (tag)
● MPLS is usually being called ISO OSI layer 2.5
● MPLS headers could be more than one (they forms
chain, example use are MPLS VLANs)
MPLS tag structure
● Exp. bits could carry QoS information
● S bit = 1 ... mean that this label is the last one and is
followed by L3 header
● TTL ... safety precaution against packet cycling
MPLS forwarding table
● Show mpls forwarding-table ... shows LFIB (Label
Forwarding Information Base) on Cisco device
MPLS services - VPN
● L3 VPN – routing of IP packets from defined source to defined
destination over MPLS network
● There is no encryption, just traffic separation from other users
MPLS services – TE (Traffic Engineering)
tunnels
● They allow to establish tunnels with defined
attributes (throughput, latency) over MPLS network
● RSVP (Resource Reservation Protocol) is used to
establish and control MPLS path with requested attributes
MPLS services – VPLS (Virtual Private
LAN Service)
● Interconnection of ethernet segments over MPLS at
layer 2 of ISO OSI model (pseudo-wire)
● RFC 4761, 4762
● MPLS backbone is seen like a switch from the
connected ethernet segments point of view
● 2 MPLS tags – forwarding and membership of given
VPLS network
● Generally higher reliability compared to WAN
MPLS – features
● MPLS network is able to carry different kinds of
traffic (IPv4, IPv6, ATM, SONET, FR, ...)
● MPLS usually carry just IP, or ethernet (EoMPLS)
● MPLS can be implemented over many different
common L2 technologies (ethernet, E1, ATM, DSL, FR, ...)
Private networks and NAT
● Internet is growing unstoppably (there are more than
300000 IP prefixes in global routing tables)
● IPv4 addresses are going to be depleted in several
years (now they are all allocated to RIRs)
● Solution:
● IPv6
● More efficient use of actual IP address range (return of ip addresses that are not used, ip address deals, ...)
Private IP networks
● Defined in RFC 1918
● These addresses are not Internet routable (core
routers should drop any packets with destination from these addresses ranges)
● 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
● 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
● 192.168.0.0/16 (192.168.0.0 – 192.168.255.255)
● Only for local ip addressing of inside network
NAT – Network Address Translation
● Generally means address translation M:N
● Translation 1:N is usually called masquerading
● If M!=N, then is necessary to alter (translate) also
UDP/TCP port numbers (NAPT, PAT)
● Enhanced security (in cooperation with FW) –
inside computers are not directly accessible from global Internet
● Opposite of basic concept of the Internet, where
mutual direct accessibility of all devices should be standard
NAT example configuration - CISCO
● Useful troubleshooting commands:
● show ip nat translations ● show ip nat statistic
interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside
ip nat inside source list 1 interface serial0 overload
access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 permit 10.10.20.0 0.0.0.255
NAT example configuration - Linux
● eth1 ... interface of the internal network
● eth0 ... interface of the external network
(Internet)
#echo 1 > /proc/sys/net/ipv4/ip_forward
#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT
Interconnection of private networks over global
Internet (IP tunnels)
Tunneling protocols example
● GRE tunnel
● IPSec tunnel
● Other tunnels using transport over
GRE (Generic Routing Encapsulation) protocol
(RFC 1702)
● point-to-point tunnel
● IP protocol type 47
● GRE tunnel is able to carry various kinds of
packets (IPv4, IPv6, IPX, ...)
GRE protocol – packet structure
● C ... checksum present, R ... routing present, K ... key present, S ... sequence number present, s ... strict
source route
● Recur ... recursion control
● Flags ... reserved, must be set to 0
● Version ... version of GRE protocol – 0
● Protocol type ... type of the payload – like similar field in ethernet frames ● Offset ... header size when using source routing – not used
● Key ... data flow identification – does not have any security meaning !!! ● Sequence number ... can be used for packet reordering
Example configuration of GRE tunnel - CISCO
Router A: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode gre ipRouter B:
interface Tunnel0
ip address 10.0.0.2 255.255.255.0 tunnel source 192.168.2.1
tunnel destination 192.168.1.1 tunnel mode gre ip
Example configuration of GRE tunnel - Linux
# modprobe ip_gre
# ip tunnel add gretun mode gre local 192.168.1.1 remote 192.168.2.1 ttl 64 dev eth0
# ip address add dev gretun 10.0.0.1 peer 10.0.0.2/32 # ip link set dev gretun up
IPSec
● Standardized VPN protocol (RFC 4301, 4309)
● Enables authentication of the source and destination
(AH) and encryption of the transmitted data (ESP) – can be used individually, header chaining, ...
● Security framework – possibility to use various
encryption and hash algorithms
● Mutual authentication possibility using shared key
or X.509 certificate
AH (Authentication Header)
● Secure data integrity and source authentication
● Next hdr ... next header type ● AH len ... AH header length ● Reserved ... set to 0
● SPI ... number identifying SA (security association)
● Sequence number ... incremental order of sequence numbers – security against
packet spoofing
● Auth. Data ... cryptographic material for authentication purposes – variable length
ESP (Encapsulating Security Payload)
● ESP secures data integrity, authentication and
encryption
● Does not have influence to packet header (opposite
to AH) – but in tunnel mode is encrypted and thus protected whole packet including header
● SPI ... number identifying SA (security association)
● Sequence number ... increasing order of sequence
numbers – protection against packet spoofing
● Encrypted payload ... encrypted data (original
packet) including necessary cryptographic material
● Padding, pad len ... padding, length of padding
● Next header ... header type of encrypted packet
● Authentication data ... cryptographic material for
authentications purposes
SA (Security Association) a IKE (Internet Key Exchange)
● SA is group of attributes that clearly identifies IPSec data flow
(IP addresses, encryption and hash algorithms, SPI and others)
● SA is “one-way” - in order to secure encrypted communication
between two parties (nodes) it is necessary to establish two SA (one for each direction)
● Protocol IKE is used to establish SA – it is used to exchange and
setup attributes of encrypted connection (each node usually
supports more than one encryption mechanism and the choice of the best one supported by both parties is in charge of IKE)
● IKE communicates using UDP port 500 (usually it is an
Example IPSec configuration - CISCO
crypto isakmp policy 1 authentication pre-share
crypto isakmp key XXXXX address 10.201.0.2 !
crypto ipsec transform-set IPSec_transform ah-sha-hmac esp-aes !
crypto map CMap 10 ipsec-isakmp set peer 10.201.0.2
set transform-set IPSec_transform match address 101
!
interface Ethernet0/0
ip address 10.201.0.1 255.255.255.0 crypto map CMap
!
Other tunnels using transport over UDP/TCP/ICMP
● Usually proprietary, non-standardized solutions
● Highly flexible, broadly configurable
Examples of other tunnel systems
● VTUN (http://vtun.sourceforge.net/)
● Transport over UDP or TCP
● Data encryption and compression possibility
● Allows EoIP (EoUDP a EoTCP) tunnel establishment
● ICMPTX (http://thomer.com/icmptx/)
● Transport over ICMP
● TINC (http://www.tinc-vpn.org/)
Coexistence of IPv6 with IPv4
● Slow deployment of IPv6 – global operators does
not support it very much
● There appear separated IPv6 islands, that needs
IPv6 over IPv4 tunneling protocols
● Manually configurable ipv6ip tunnel
● Automatic IPv6oIPv4 tunnel – routers tunnel IPv6