• No results found

LECTURE 4 NETWORK INFRASTRUCTURE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "LECTURE 4 NETWORK INFRASTRUCTURE"

Copied!
63
0
0

Loading.... (view fulltext now)

Download now ( 63 Page )

Full text

(1)

LECTURE 4

NETWORK

INFRASTRUCTURE

SYSTEM ADMINISTRATION

MTAT.08.021

1 Prepared By:

Amnir Hadachi and Artjom Lind

University of Tartu, Institute of Computer Science [email protected] / [email protected]

(2)

OUTLINE

LECTURE 4: NETWORK INFRASTRUCTURE

1.

Gateway

2.

Virtual Private Network

3.

Firewalls

4.

Dynamic routing

5.

IPv6

6.

Domain name servers (DNS)

7.

Dynamic host configuration protocol (DHCP)

(3)

GATEWAY

1.

Internet protocol - IP

Transmission control protocol -TCP / User datagram protocol - UDP

Internet

(4)

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

Gateway:

Extra:

DEFINITION 4.1

A gateway is a system linking several networks. it is connected to each of the networks, it links them together and acts as a router to convert IP

packets between its various interfaces

DEFINITION 4.2

IP packets is a segmented transmitted data into limited-size packets and it is a characteristic of the IP protocol.

(5)

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

CASE 5.1:

let’s suppose we are in a local network which uses a private address range. Therefore, the gateway needs to implement address

masquerading in order to allow the machines on the network to communicate with the outside world.

DEFINITION 5.1

Masquerading process is kind of proxy operating on the network level. Which means each outgoing connection from internal machine is replaced by a connection from the gateway itself and the coming back data is sent through the masquerade connection back to the internal machine. (For This purpose TCP is used)

Internet ————-> ————— —————- Gateway ————- ————-Server TCP 5

(6)

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 4.2

TCP (Transmission Control Protocol) is a layer over IP allowing the

establishment of connections dedicated to data streams between tow points.

HOW DOES IT WORK (TCP/IP DATA FLOW):

SENDER To: From: ROUTER ROUTER ROUTER ROUTER ROUTER ROUTER ROUTER RECIPIENT To: From: STAGE 1

THE TCP PROTOCOL SPLIT THE DATA THE PACKETS TRAVEL FROM ROUTER TO STAGE 2

STAGE 3

(7)

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

Another protocol relying on IP is UDP

DEFINITION 7.1

UDP (User Datagram Protocol) is also packet oriented however it only transmit one packet from an application to another with no compensation of packet loss or ensuring that packet has been received.

SENDER To: From: RECIPIENT To: From:

UDP DOES NOT ESTABLISH A CONNECTION BEFORE SENDING THE DATA 7

(8)

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

Gateway can perform two type of network address translation

(NAT):

Destination NAT (DNAT)

Source NAT (SNAT)

DEFINITION 8.1

DNAT is a technique to alter the destination IP address for a incoming connection.

DEFINITION 8.2

SNAT is a technique to alter the source IP address of a outgoing connection.

REMARK 8.1

Note that NAT is only relevant for IPv4 and its limited address space, in IPv6, the wide availability of dresses reduce the use of NAT by allowing directly internal address to be

(9)

INSIDE

GATEWAY

LECTURE 4: NETWORK INFRASTRUCTURE

Example NAT:

10.0.0.2 10.0.0.3 10.0.0.5 Internet 178.201.112.12 NAT IP Internet IP 10.0.0.3 178.201.112.12 …. …. NAT Router DNAT IS LITERALLY AN EXAMPLE OF PORT FORWARDING 9

(10)

VIRTUAL

PRIVATE

NETWORK

2.

OpenVPN VPN wish SSH IPsec PPTP Internet VPN

(11)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 11.1

VPN (Virtual Private Network ) is a way to link two different local networks via the internet by the mean of a tunnel. (Tunnel is usually encrypted for confidentiality)

EXAMPLE 11.1:

OpenVPN is piece of software that allows to create virtual private network. In order to secure the communication OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and association features.

SSL (SECURE SOCKET LAYER) PROTOCOL WAS INVENTED BY NETSCAPE TO SECURE CONNECTIONS TO WEB SERVICES LATER IT WAS STANDARDIZED BY IEFT UNDER THE ACRONYM

TLS (TRANSPORT LAYER SECURITY)

(12)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

Security in VPN

easy-rsa: the use of RSA algorithm for the public-key

cryptography

Problem anyone can pretend the identity of their choice

Solution is the concept of Certification Authority (CA),

formalised by the X.509 standard.

!

THIS TERM COVERS AN ENTITY THAT HOLDS A TRUSTED KEY PAIR KNOWN AS A ROOT CERTIFICATE. THUS, THIS CERTIFICATE IS THE ONLY ONE USED TO SIGN OTHER

CERTIFICATES.

(13)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

VPN concept:

A tunnel is created, through the LANs and WANs that are being used

(14)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

Most Popular VPN protocols

Point to point Tunneling Protocol (PPTP)

Layer Two Tunneling Protocol with Internet Protocol Security

(L2TP / IPsec )

(15)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

PPTP

Characteristics:

Allows multi protocol traffic to be encrypted, encapsulated in

an IP header and then sent across an IP network or public IP

network.

Uses a TCP connection for tunnel management and a modified

version of Generic Routing Encapsulation (GRE) to encapsulate

PPP frames.

DEFINITION 15.1

PPTP is an encapsulates point-to-point frames into IP datagrams for transmission over IP-based network.

(data is not encrypted by default)

IP HEADER GRE HEADER PPP HEADER PPP PAYLOAD (IP DATAGRAM)

Encrypted PPP Frame

(16)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 16.1

An IP header is a prefix to an IP packet which contains information about IP version, source IP, destination IP, time-to-live, etc

DEFINITION 16.1

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

DEFINITION 16.1

Point-to-Point Protocol (PPP) is a data link protocol used to establish a direct connection between two nodes.

DEFINITION 16.1

IP datagram can be considered as the basic unit of information passed

across the internet. IP datagram contains a source and destination address along with data. (for more information check http://www.daemon.org/ip.html#total)

(17)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

IP datagram (More details link:

http://www.daemon.org/ip.html#total

)

(18)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

• L2TP with IPsec

• Characteristics:

• Allows multi protocol traffic to be encrypted and then sent over any point-to-point datagram delivery support.

• Relies on IPSec in transport mode for encryption services • Encapsulation of L2TP/IPsec consists of two layers:

• L2TP Encapsulation • IPSec Encapsulation

DEFINITION 18.1

L2TP with IPsec is combination of PPTP and layer two forwarding (L2F), which is a technology from Cisco Systems, Inc, and IPSec is used to encrypt the messages.

IPSEC IS A SECURITY PROTOCOL THAT USES AUTHENTICATION AND ENCRYPTION FOR EACH IP PACKET.

(19)

VPN

LECTURE 4: NETWORK INFRASTRUCTURE

Encapsulation:

L2TP: PPP frame is wrapped with L2TP and UDP header

IPsec: The L2TP message is wrapped with an IPSec

Encapsulating Security Payload (ESP) header and trailer, and an

IPSec Authentication Trailer

(20)

FIREWALLS

3.

Firewall Netfilter

(21)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 21.1

A firewall is a piece of computer equipment with hardware and/or software that

sorts the incoming or outgoing network packets (coming to or from a local network) and only lets through those matching certain predefined conditions.

REMARK 21.1:

The firewall is filtering network gateway and is only effective when the only way or route for the packets to access is through the firewall.

e.g. the Netfilter firewall in debian

(22)

FIREWALL

LECTURE 4: NETWORK INFRASTRUCTURE

Netfilter,

uses four distinct tables that regulates the filtering of the

packets using specific rules and operations:

Tables name Description

filter concerns filtering rules: accepting, refusing, ignoring

nat concerns translation of source or destination addresses and ports packages

mangle concerns other changes to the IP packets

(23)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

Each of the previous tables has:

list of rules, called “chains”

the admin can modify the chains

(24)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

Each of the previous tables has:

list of rules, called “chains”

the admin can modify the chains

filter table chains

nat table chains

mangle table chains

raw table chains

(25)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

filter table chains

Chains Description

INPUT concerns packets whose destination in the firewall itself

OUTPUT concerns packets emitted by firewall

FORWARD concerns packets transiting through the firewall (which is neither their source or destination)

(26)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

nat table chains

Chains Description

REROUTING to modify packets as soon as arrive

POSTROUTING to modify packets when they are ready to go on their way

(27)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

mangle table chains

Chain PREROUTING POSTROUTING INPUT OUTPUT FORWARD 27

(28)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

raw table chains

Chain

PREROUTING

(29)

FIREWALLS

LECTURE 4: NETWORK INFRASTRUCTURE

Each chains mentioned before is a list of rules and it is called in a

specific other;

NETWORK APPLICATION

INPUT OUTPUT

PREROUTING FORWARD POSTROUTING

(30)

DYNAMIC

ROUTING

(31)

DYNAMIC ROUTING

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 31.1

Dynamic routing allows routers to adjust, in real time, the path used for

transmitting IP packets. Each protocol involves its own method of defining routes. (e.g. using shortest path, use routes advertised by peers,etc.)

REMARK 31.1:

The reference tool for this task is “quagga”. it is a set of daemons

cooperating to define the routing tables that should be used by the linux kernel.

(32)

DYNAMIC ROUTING

LECTURE 4: NETWORK INFRASTRUCTURE

Functions of Dynamic routing

Dynamically share information between routers

Automatically update routing table when topology changes

Determine best path to a destination

Ability to find a new best path if the current path is no longer

available

(33)

DYNAMIC ROUTING

LECTURE 4: NETWORK INFRASTRUCTURE

(34)

IPV6

5.

(35)

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 35.1

IPv6 ,successor of IPv4, is a new version of IP protocol designed to fix its flaws and handle the network layer.

Purpose:

Provide a new way to address machines Convey data to their intended destination

Handle data fragmentation if needed (split packets into chunks)

(36)

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

(37)

Larger address space:

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

IPv4: 32 bits

= 4,294,967,296 possible addressable devices IPv6:

128 bits: 4 times the size in bits

= 3.4 x 10^38 possible addressable devices

= 340,282,366,920,938,463,463,374,607,431,768,211,456 ∼ 5 x 10^28 addresses per person on the planet

IPV4 = 32 BITS

IPV6 = 128 BITS

(38)

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

Configuration - enabling IPv6:

put “ipv6” in “/etc/modules”

Edit ”/etc/network/interfaces”

face ethic inet6 static

address 2001:XXXX:YYYY:ZZZZ::1 netmask 64

(39)

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

Configuration - tunnel:

Edit ”/etc/network/interfaces”

face tun0 inet6 v4tunnel endpoint A.B.C.D

address 2001:XXXX:YYYY:ZZZZ::2 gateway 2001:XXXX:YYYY:ZZZZ::1 netmask 64

(40)

IPV6

LECTURE 4: NETWORK INFRASTRUCTURE

Router Advertisement (RA) Autoconfiguration:

Add in ”/etc/radvd.conf”

interface ethic { AdvSendAdvert on; AdvLinkMTU 1472; prefix 2001:XXXX:YYYY:ZZZZ:/64 { AdvOnLink on; AdvPreferredLifetime 3600; AdvValidLifetime 7200; }; };

(41)

DOMAIN

NAME

SERVERS

6.

(42)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

DEFINITION 42.1

The Domain Name Service (DNS) is a fundamental component of the

Internet: it maps host names to IP addresses (and vice-versa), which allows the use of www.debian.org instead of 5.153.231.4 or

2001:41c8:1000:21::21:4.

DNS Provides:

๏Mapping from names to addresses and vice versa

๏Mechanism to store and retrieve information in a global data store

๏Where to send mail for a domain

๏Geographical information

๏etc.

(43)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

Basic DNS tools:

Using the host command:

Using the host IPv6

# host ut.ee

AHs-Mac-mini:~ AH$ host ut.ee ut.ee has address 193.40.5.73

ut.ee mail is handled by 20 frida.it.da.ut.ee. ut.ee mail is handled by 20 berta.it.da.ut.ee.

# host www.ut.ee

AHs-Mac-mini:~ AH$ host www.ut.ee www.ut.ee has address 193.40.5.73

www.ut.ee has IPv6 address 2001:bb8:2002:500::42

# host 2001:bb8:2002:500::42

AHs-Mac-mini:~ AH$ host 2001:bb8:2002:500::42

2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.2.0.0.2.8.b.b.0.1.0.0.2.ip6.arpa domain name pointer www.ut.ee.

(44)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

DNS built:

Components:

Name space

Servers making that name space

available

DNS database

Forms a tree structure

.(root)

.com .edu .ee .google .berkeley .cs .ut .cs .www .ds .www .www

(45)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

DNS built:

DNS is hierarchical

DNS administration is shared

This distribution of administration is

called “delegation”

.(root)

.com .edu .ee .google .berkeley .cs .ut .cs .www .ds .www .www www.cs.ut.ee 45

(46)

DOS

LECTURE 4: NETWORK INFRASTRUCTURE

How DNS works

WWW.UT.EE

DNS SERVER DNS SERVER

2 DOMAIN WWW.UT.EE IN MY “I CANNOT FIND THE YES I HAVE IT IN MY

CACHE IT IS MAPPED TO THIS IP ADDRESS:

172.167.36.44

THANKS I GOT IT I CAN ACCESS NOW

3

4 AWESOME I WILL CACHE IT TOO FOR WHILE IN CASE

SOMEONE ASK FOR IT AGAIN

5

(47)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

Query detail with tcpdump

AHs-Mac-mini:~ AH$ sudo tcpdump -s1500 -n port 53 tcpdump: data link type PKTAP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Packet Tap), capture size 1500 bytes

09:02:43.982601 IP 172.17.164.117.58374 > 193.40.5.39.53: 15716+ A? dr-eu.skype-cr.akadns.net. (43) 09:02:43.982719 IP 172.17.164.117.51108 > 193.40.5.39.53: 3184+ AAAA? dr-eu.skype-cr.akadns.net. (43) 09:02:43.983816 IP 193.40.5.39.53 > 172.17.164.117.58374: 15716 8/10/7 A 40.127.143.123, A 40.127.180.92, A 104.41.212.225, A 137.135.247.208, A 138.91.55.206, A 23.102.43.250, A 40.113.91.50, A 40.127.103.135 (507) 09:02:43.996398 IP 193.40.5.39.53 > 172.17.164.117.51108: 3184 0/1/0 (109) $ sudo -s passwd: # tcpdump -s1500 -n port 53 47

(48)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

Query detail and analysis:

(49)

DNS

LECTURE 4: NETWORK INFRASTRUCTURE

Resolver configuration:

How does your computer which DNS server to send the query

to get information:

location “/etc/resolv.conf”

if you check it you will find:

nameserver a.b.c.d

nameserver ip:v6:ad:dr:es:ss

or

IS THE IP/IPV6 OF A FUNCTIONING DNS SERVER.

(50)

DYNAMIC

HOST

CONFIGURATI

ON PROTOCOL

(51)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

• DHCP provides:

• Network related parameters: • IP address

• Network where the machine belongs • Dynamic assignment of IP addresses • DNS servers

• etc.

DEFINITION 51.1

DHCP is a protocol by which a machine can automatically get its network configuration when it boots.

(52)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP configuration:

Configuration file location “/etc/dhcp/dhcp.comf”

domain name

(53)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP interactions

IP Lease Discover IP Lease Offers IP lease Request IP lease Acknowledge DHCP Client DHCP Server 53

(54)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message format

(55)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message fields:

Message Description

Code Indicates a request or a replay: 1 request 2 reply

HWtype the type of hardware (e.g. 1 Ethernet 6 IEEE 802 networks)

length hardware address length in bytes

hops the client sets this to 0 in order to be incremented by router that relays the request to another server and is used to identify loops.

(56)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message fields:

Message Description

Transaction ID A random number used to match this boot request with the response it generates. Seconds Set by the client. it is the elapsed time in seconds since the client started its boot process Flags field the flgs field is used as broadcast flag

(57)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message fields:

Message Description

Your IP address set by the server if the client IP address field was 0.0.0.0 Server IP address set by the server

Router IP server this is the address of a BOOTP rely agent client hardware

address set by the client, Mac address

(58)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message fields:

Message Description

Server host name optional server host name terminated by X’00’

Boot file name the client either leaves this null or specifies a generic name like router, type of boot

(59)

DHCP

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP Message type:

• 1 = DHCP Discover message (DHCPDiscover).


• 2 = DHCP Offer message (DHCPOffer).


• 3 = DHCP Request message (DHCPRequest).

• 4 = DHCP Decline message (DHCPDecline).

• 5 = DHCP Acknowledgment message (DHCPAck).

• 6 = DHCP Negative Acknowledgment message (DHCPNak).

• 7 = DHCP Release message (DHCPRelease).

• 8 = DHCP Informational message (DHCPInform).

(60)

EXTRA

TECHNICAL

DETAILS

(61)

EXTRA TECHNICAL DETAILS

LECTURE 4: NETWORK INFRASTRUCTURE

DNS More details

http://www.ietf.org/proceedings/70/slides/dnstut-0.pdf https://courses.cs.ut.ee/2015/ds/fall/uploads/Main/slides-14.pdf Slides (Numbers):14, 26-37 https://courses.cs.ut.ee/MTAT.08.021/2013_fall/uploads/Main/2013SA-L004-5.pdf Slides (Numbers):20-End Slides (Numbers):1-13, 17-23 http://www.ics.uci.edu/~magda/cs620/ch6.pdf Slides (Numbers):40-60 61

(62)

EXTRA TECHNICAL DETAILS

LECTURE 4: NETWORK INFRASTRUCTURE

DHCP More details

http://www.ics.uci.edu/~magda/cs620/ch6.pdf

Slides:2-17

http://www.ics.uci.edu/~magda/cs620/ch6.pdf

(63)

EXTRA TECHNICAL DETAILS

LECTURE 4: NETWORK INFRASTRUCTURE

Firewalls More details

http://www.ics.uci.edu/~magda/cs620/ch6.pdf

Slides:2-17

References

Download now ( PDF - 63 Page - 2.57 MB )

Related documents

Accelerating adaptive ultrasound imaging algorithms by means of general-purpose computing on graphics processing units

Haider, “Adaptive Design of a Global Opacity Transfer Function for Direct Volume Rendering of Ultrasound Data,” Visualization Conference, IEEE, p.. Orderud, “A Framework for

Town Provider List ABINGDON to AGENCY

ELECTRIC SERVICE PROVIDER(s) Alliant/Interstate Power and Light Linn County REC. GAS SERVICE PROVIDER(s) Alliant/Interstate Power

Medical Examiner Board Certification - Medicolegal Death Investigation

Registry Certification conferred by the American Board of Medicolegal Death Investigators (ABMDI) is the basic credential for certification of medicolegal death

Exploring Self-Determination and Recreational Sports Participation for Adolescents with Disabilities

For the purpose of this study, disability is defined as a student who receives special education services due to any Individuals with Disabilities Education Act (IDEA) category

Equilibrium and Optimal R&D Roles in a Mixed Market

(By doing so, the public …rm may partially correct an important failure of a Cournot mixed market – the ine¢ ciency in the distribution of equilibrium cost – arising from

Personalized Pricing and Quality Differentiation

In equilibrium, when firm adopts PP, both firms reduce their qualities compared to the no-PP case.. In the numeric solution, we check that the constraints 0 < θ < θ h < 1

Java Birthmarks--Detecting the Software Theft--

The second experiment shows that the proposed birthmarks successfully distinguish non-copied files in a practical Java ap- plication (97.8005% of given class files were

Pennsylvania Special Education Dispute Resolution Manual

The following procedures apply to requests for mediation made to ODR. Mediation services may be requested directly from the LEA responsible for providing the child’s education,