system administration mtat.08.021 lecture 4 network ... · firewalls lecture 4: network...
TRANSCRIPT
LECTURE 4 NETWORK
INFRASTRUCTURE
SYSTEM ADMINISTRATION MTAT.08.021
1
Prepared By: Amnir Hadachi and Artjom Lind
University of Tartu, Institute of Computer Science [email protected] / [email protected]
OUTLINE
LECTURE 4: NETWORK INFRASTRUCTURE
1.Gateway
2.Virtual Private Network
3.Firewalls
4.Dynamic routing
5.IPv6
6.Domain name servers (DNS)
7.Dynamic host configuration protocol (DHCP)
8.Extra Technical Details
2
GATEWAY1.
Internet protocol - IP Transmission control protocol -TCP
/ User datagram protocol - UDP
Internet
3
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
• Gateway:
• Extra:
DEFINITION 4.1
A gateway is a system linking several networks. it is connected to each of the networks, it links them together and acts as a router to convert IP packets between its various interfaces
DEFINITION 4.2
IP packets is a segmented transmitted data into limited-size packets and it is a characteristic of the IP protocol.
4
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
CASE 5.1:
let’s suppose we are in a local network which uses a private address range. Therefore, the gateway needs to implement address masquerading in order to allow the machines on the network to communicate with the outside world.
DEFINITION 5.1
Masquerading process is kind of proxy operating on the network level. Which means each outgoing connection from internal machine is replaced by a connection from the gateway itself and the coming back data is sent through the masquerade connection back to the internal machine. (For This purpose TCP is used)
Internet
————-> ————— —————-
Gateway
————- ————-
Server
TCP
5
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 4.2
TCP (Transmission Control Protocol) is a layer over IP allowing the establishment of connections dedicated to data streams between tow points.
HOW DOES IT WORK (TCP/IP DATA FLOW):
SENDER
To: From:
ROUTER
ROUTER ROUTER
ROUTER
ROUTERROUTER
ROUTER RECIPIENT
To: From:
STAGE 1 THE TCP PROTOCOL SPLIT THE DATA
INTO PACKETS. AND ESTABLISH A CONNECTION
STAGE 2 THE PACKETS TRAVEL FROM ROUTER TO
ROUTER OVER THE INTERNET ACCORDING TO THE IP PROTOCOL
STAGE 3 THE TCP PROTOCOL
REASSEMBLE THE PACKETS INTO THE ORIGINAL MESSAGE
6
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
• Another protocol relying on IP is UDPDEFINITION 7.1
UDP (User Datagram Protocol) is also packet oriented however it only transmit one packet from an application to another with no compensation of packet loss or ensuring that packet has been received.
SENDER
To: From:
RECIPIENT
To: From:
UDP DOES NOT ESTABLISH A CONNECTION BEFORE SENDING THE DATA
7
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
• Gateway can perform two type of network address translation (NAT):
• Destination NAT (DNAT)
• Source NAT (SNAT)
DEFINITION 8.1
DNAT is a technique to alter the destination IP address for a incoming connection.
DEFINITION 8.2
SNAT is a technique to alter the source IP address of a outgoing connection.
REMARK 8.1
Note that NAT is only relevant for IPv4 and its limited address space, in IPv6, the wide availability of dresses reduce the use of NAT by allowing directly internal address to be routable to internet.
8
INSIDE
GATEWAY
LECTURE 4: NETWORK INFRASTRUCTURE
• Example NAT:
10.0.0.2
10.0.0.3
10.0.0.5
Internet
178.201.112.12
NAT IP Internet IP10.0.0.3 178.201.112.12
…. ….
NAT Router
DNAT IS LITERALLY AN EXAMPLE OF
PORT FORWARDING
9
VIRTUAL PRIVATE NETWORK
2.
OpenVPN VPN wish SSH IPsec PPTP
Internet
VPN
10
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 11.1
VPN (Virtual Private Network ) is a way to link two different local networks via the internet by the mean of a tunnel. (Tunnel is usually encrypted for confidentiality)
EXAMPLE 11.1:
OpenVPN is piece of software that allows to create virtual private network. In order to secure the communication OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and association features.
SSL (SECURE SOCKET LAYER) PROTOCOL WAS INVENTED BY NETSCAPE TO SECURE CONNECTIONS TO WEB SERVICES
LATER IT WAS STANDARDIZED BY IEFT UNDER THE ACRONYM TLS (TRANSPORT LAYER SECURITY)
11
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• Security in VPN
• easy-rsa: the use of RSA algorithm for the public-key cryptography
• Problem anyone can pretend the identity of their choice
• Solution is the concept of Certification Authority (CA), formalised by the X.509 standard.
!
THIS TERM COVERS AN ENTITY THAT HOLDS A TRUSTED KEY PAIR KNOWN AS A ROOT CERTIFICATE. THUS, THIS CERTIFICATE IS THE ONLY ONE USED TO SIGN OTHER
CERTIFICATES.
All this is done by using data encapsulation and encryption in order to ensure the proposer users get access and data sessions cross VPN device.12
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• VPN concept:A tunnel is created, through the LANs and WANs that are being used
13
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• Most Popular VPN protocols
• Point to point Tunneling Protocol (PPTP)
• Layer Two Tunneling Protocol with Internet Protocol Security (L2TP / IPsec )
14
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• PPTP
• Characteristics:
• Allows multi protocol traffic to be encrypted, encapsulated in an IP header and then sent across an IP network or public IP network.
• Uses a TCP connection for tunnel management and a modified version of Generic Routing Encapsulation (GRE) to encapsulate PPP frames.
DEFINITION 15.1
PPTP is an encapsulates point-to-point frames into IP datagrams for transmission over IP-based network.
(data is not encrypted by default)
IP HEADER GRE HEADER PPP HEADER PPP PAYLOAD (IP DATAGRAM)
Encrypted
PPP Frame15
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 16.1
An IP header is a prefix to an IP packet which contains information about IP version, source IP, destination IP, time-to-live, etc
DEFINITION 16.1
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.
DEFINITION 16.1
Point-to-Point Protocol (PPP) is a data link protocol used to establish a direct connection between two nodes.
DEFINITION 16.1
IP datagram can be considered as the basic unit of information passed across the internet. IP datagram contains a source and destination address along with data. (for more information check http://www.daemon.org/ip.html#total)
16
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• IP datagram (More details link: http://www.daemon.org/ip.html#total)
17
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• L2TP with IPsec
• Characteristics:
• Allows multi protocol traffic to be encrypted and then sent over any point-to-point datagram delivery support.
• Relies on IPSec in transport mode for encryption services
• Encapsulation of L2TP/IPsec consists of two layers:
• L2TP Encapsulation
• IPSec Encapsulation
DEFINITION 18.1
L2TP with IPsec is combination of PPTP and layer two forwarding (L2F), which is a technology from Cisco Systems, Inc, and IPSec is used to encrypt the messages.
IPSEC IS A SECURITY PROTOCOL THAT USES AUTHENTICATION AND ENCRYPTION FOR EACH IP PACKET.
18
VPN
LECTURE 4: NETWORK INFRASTRUCTURE
• Encapsulation:
• L2TP: PPP frame is wrapped with L2TP and UDP header
• IPsec: The L2TP message is wrapped with an IPSec Encapsulating Security Payload (ESP) header and trailer, and an IPSec Authentication Trailer
19
FIREWALLS3.
Firewall Netfilter
Internet
20
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 21.1
A firewall is a piece of computer equipment with hardware and/or software thatsorts the incoming or outgoing network packets (coming to or from a local network)and only lets through those matching certain predefined conditions.
REMARK 21.1:
The firewall is filtering network gateway and is only effective when the only way or route for the packets to access is through the firewall.
e.g. the Netfilter firewall in debian
21
FIREWALL
LECTURE 4: NETWORK INFRASTRUCTURE
• Netfilter,
• uses four distinct tables that regulates the filtering of the packets using specific rules and operations:
Tables name Description
filter concerns filtering rules: accepting, refusing, ignoring
nat concerns translation of source or destination addresses and ports packages
mangle concerns other changes to the IP packets
rawallows other manual modifications on packets before they reach the connection tracking system
22
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
• Each of the previous tables has:
• list of rules, called “chains”
• the admin can modify the chains
23
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
• Each of the previous tables has:
• list of rules, called “chains”
• the admin can modify the chains
filter table chains
nat table chains
mangle table chains
raw table chains
24
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
filter table chains
Chains Description
INPUT concerns packets whose destination in the firewall itself
OUTPUT concerns packets emitted by firewall
FORWARDconcerns packets transiting through
the firewall (which is neither their source or destination)
25
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
nat table chains
Chains Description
REROUTING to modify packets as soon as arrive
POSTROUTING to modify packets when they are ready to go on their way
OUTPUT to modify packets generated by the firewall itself
26
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
mangle table chains
Chain
PREROUTING
POSTROUTING
INPUT
OUTPUT
FORWARD27
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
raw table chains
Chain
PREROUTING
OUTPUT
28
FIREWALLS
LECTURE 4: NETWORK INFRASTRUCTURE
• Each chains mentioned before is a list of rules and it is called in a specific other;
NETWORK APPLICATION
INPUT OUTPUT
PREROUTING POSTROUTINGFORWARD
29
DYNAMIC ROUTING
4.
30
DYNAMIC ROUTING
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 31.1
Dynamic routing allows routers to adjust, in real time, the path used for transmitting IP packets. Each protocol involves its own method of defining routes. (e.g. using shortest path, use routes advertised by peers,etc.)
REMARK 31.1:
The reference tool for this task is “quagga”. it is a set of daemons cooperating to define the routing tables that should be used by the linux kernel.
31
DYNAMIC ROUTING
LECTURE 4: NETWORK INFRASTRUCTURE
• Functions of Dynamic routing
• Dynamically share information between routers
• Automatically update routing table when topology changes
• Determine best path to a destination
• Ability to find a new best path if the current path is no longer available
32
DYNAMIC ROUTING
LECTURE 4: NETWORK INFRASTRUCTURE
Extra info: http://www.nongnu.org/quagga/docs/docs-info.html33
IPV65.
V.
34
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 35.1
IPv6 ,successor of IPv4, is a new version of IP protocol designed to fix its flaws and handle the network layer.
Purpose:
Provide a new way to address machines Convey data to their intended destination Handle data fragmentation if needed (split packets into chunks)
35
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
• Header comparison IPv4 vs IPv6:
Source: cisconet.com 36
• Larger address space:
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
IPv4: 32 bits = 4,294,967,296 possible addressable devices
IPv6: 128 bits: 4 times the size in bits = 3.4 x 10^38 possible addressable devices = 340,282,366,920,938,463,463,374,607,431,768,211,456 ∼ 5 x 10^28 addresses per person on the planet
IPV4 = 32 BITS
IPV6 = 128 BITS
37
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
• Configuration - enabling IPv6:
• put “ipv6” in “/etc/modules”
• Edit ”/etc/network/interfaces”face ethic inet6 static
address 2001:XXXX:YYYY:ZZZZ::1 netmask 64
38
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
• Configuration - tunnel:
• Edit ”/etc/network/interfaces”
face tun0 inet6 v4tunnel endpoint A.B.C.D address 2001:XXXX:YYYY:ZZZZ::2 gateway 2001:XXXX:YYYY:ZZZZ::1 netmask 64
39
IPV6
LECTURE 4: NETWORK INFRASTRUCTURE
• Router Advertisement (RA) Autoconfiguration:
• Add in ”/etc/radvd.conf”
interface ethic {
AdvSendAdvert on; AdvLinkMTU 1472; prefix 2001:XXXX:YYYY:ZZZZ:/64 {
AdvOnLink on; AdvPreferredLifetime 3600; AdvValidLifetime 7200; };
};
40
DOMAIN NAME SERVERS
6.
41
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
DEFINITION 42.1
The Domain Name Service (DNS) is a fundamental component of the Internet: it maps host names to IP addresses (and vice-versa), which allows the use of www.debian.org instead of 5.153.231.4 or 2001:41c8:1000:21::21:4.
DNS Provides:
๏Mapping from names to addresses and vice versa ๏Mechanism to store and retrieve information in a global data store ๏Where to send mail for a domain ๏Geographical information ๏etc.
42
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• Basic DNS tools:
• Using the host command:
• Using the host IPv6
# host ut.eeAHs-Mac-mini:~ AH$ host ut.ee ut.ee has address 193.40.5.73 ut.ee mail is handled by 20 frida.it.da.ut.ee. ut.ee mail is handled by 20 berta.it.da.ut.ee.
# host www.ut.eeAHs-Mac-mini:~ AH$ host www.ut.ee www.ut.ee has address 193.40.5.73 www.ut.ee has IPv6 address 2001:bb8:2002:500::42
# host 2001:bb8:2002:500::42
AHs-Mac-mini:~ AH$ host 2001:bb8:2002:500::42 2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.5.0.2.0.0.2.8.b.b.0.1.0.0.2.ip6.arpa domain name pointer www.ut.ee.
43
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• DNS built:
• Components:
• Name space
• Servers making that name space available
• DNS database
• Forms a tree structure
.(root)
.com .edu .ee
.google .berkeley
.cs
.ut
.cs.www
.ds.www
.www
44
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• DNS built:
• DNS is hierarchical
• DNS administration is shared
• This distribution of administration is called “delegation”
.(root)
.com .edu .ee
.google .berkeley
.cs
.ut
.cs.www
.ds.www
.www
www.cs.ut.ee
45
DOS
LECTURE 4: NETWORK INFRASTRUCTURE
• How DNS works WWW.UT.EE
DNS SERVER
DNS SERVER
“I NEED DIRECTION TO WWW.UT.EE”12
“I CANNOT FIND THE DOMAIN WWW.UT.EE IN MY
DATABASE, I’LL CHECK ANOTHER DNS SERVER”
YES I HAVE IT IN MY CACHE IT IS MAPPED TO THIS IP ADDRESS:
172.167.36.44
THANKS I GOT IT I CAN ACCESS NOW
3
4 AWESOME I WILL CACHE IT TOO FOR WHILE IN CASE
SOMEONE ASK FOR IT AGAIN
5
RESOLVER / QUERY
46
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• Query detail with tcpdump
AHs-Mac-mini:~ AH$ sudo tcpdump -s1500 -n port 53 tcpdump: data link type PKTAP tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on pktap, link-type PKTAP (Packet Tap), capture size 1500 bytes 09:02:43.982601 IP 172.17.164.117.58374 > 193.40.5.39.53: 15716+ A? dr-eu.skype-cr.akadns.net. (43) 09:02:43.982719 IP 172.17.164.117.51108 > 193.40.5.39.53: 3184+ AAAA? dr-eu.skype-cr.akadns.net. (43) 09:02:43.983816 IP 193.40.5.39.53 > 172.17.164.117.58374: 15716 8/10/7 A 40.127.143.123, A 40.127.180.92, A 104.41.212.225, A 137.135.247.208, A 138.91.55.206, A 23.102.43.250, A 40.113.91.50, A 40.127.103.135 (507) 09:02:43.996398 IP 193.40.5.39.53 > 172.17.164.117.51108: 3184 0/1/0 (109)
$ sudo -s passwd: # tcpdump -s1500 -n port 53
47
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• Query detail and analysis:
• you can use www.wireshark.org
48
DNS
LECTURE 4: NETWORK INFRASTRUCTURE
• Resolver configuration:
• How does your computer which DNS server to send the query to get information:
• location “/etc/resolv.conf”
• if you check it you will find:nameserver a.b.c.d
nameserver ip:v6:ad:dr:es:ssor
IS THE IP/IPV6 OF A FUNCTIONING DNS SERVER.
49
DYNAMIC HOST CONFIGURATION PROTOCOL
7.
50
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP provides:
• Network related parameters:
• IP address
• Network where the machine belongs
• Dynamic assignment of IP addresses
• DNS servers
• etc.
DEFINITION 51.1
DHCP is a protocol by which a machine can automatically get its network configuration when it boots.
51
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP configuration:
• Configuration file location “/etc/dhcp/dhcp.comf”
• domain name
• DNS servers
52
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP interactions
IP Lease Discover
IP Lease Offers
IP lease Request
IP lease Acknowledge
DHCP ClientDHCP Server
53
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message format
source: http://www.isoc.org/pubs/int/cisco-1-3.html
54
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message fields:
Message Description
CodeIndicates a request or a replay:
1 request 2 reply
HWtypethe type of hardware (e.g.
1 Ethernet 6 IEEE 802 networks)
length hardware address length in bytes
hops the client sets this to 0 in order to be incremented by router that relays the request to another server and is used to identify loops.
55
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message fields:
Message Description
Transaction ID A random number used to match this boot request with the response it generates.
Seconds Set by the client. it is the elapsed time in seconds since the client started its boot process
Flags field the flgs field is used as broadcast flag
client IP address set by the client. either is know IP agrees or 0.0.0.0
56
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message fields:
Message Description
Your IP address set by the server if the client IP address field was 0.0.0.0
Server IP address set by the server
Router IP server this is the address of a BOOTP rely agent
client hardware address set by the client, Mac address
57
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message fields:
Message Description
Server host name optional server host name terminated by X’00’
Boot file name the client either leaves this null or specifies a generic name like router, type of boot
options Name sever, domain name, (There is more than 100 options link: http://www.networksorcery.com/enp/protocol/bootp/options.htm)
58
DHCP
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP Message type:• 1 = DHCP Discover message (DHCPDiscover).
• 2 = DHCP Offer message (DHCPOffer).
• 3 = DHCP Request message (DHCPRequest).
• 4 = DHCP Decline message (DHCPDecline).
• 5 = DHCP Acknowledgment message (DHCPAck).
• 6 = DHCP Negative Acknowledgment message (DHCPNak).
• 7 = DHCP Release message (DHCPRelease).
• 8 = DHCP Informational message (DHCPInform).59
EXTRA TECHNICAL DETAILS
8.
60
EXTRA TECHNICAL DETAILS
LECTURE 4: NETWORK INFRASTRUCTURE
• DNS More details
http://www.ietf.org/proceedings/70/slides/dnstut-0.pdf
https://courses.cs.ut.ee/2015/ds/fall/uploads/Main/slides-14.pdf Slides (Numbers):14, 26-37
https://courses.cs.ut.ee/MTAT.08.021/2013_fall/uploads/Main/2013SA-L004-5.pdfSlides (Numbers):20-End
Slides (Numbers):1-13, 17-23
http://www.ics.uci.edu/~magda/cs620/ch6.pdfSlides (Numbers):40-60
61
EXTRA TECHNICAL DETAILS
LECTURE 4: NETWORK INFRASTRUCTURE
• DHCP More details
http://www.ics.uci.edu/~magda/cs620/ch6.pdfSlides:2-17
http://www.ics.uci.edu/~magda/cs620/ch6.pdfSlides:17-40
62
EXTRA TECHNICAL DETAILS
LECTURE 4: NETWORK INFRASTRUCTURE
• Firewalls More details
http://www.ics.uci.edu/~magda/cs620/ch6.pdfSlides:2-17
63