LAB 3: NETWORK LAYER CHECKPOINT 2 Lab 3: Network Layer Checkpoint 2 Checkpoint 2 consists of some experiments to see the results of Network Address Translation as well as examining another malicious network action. Many of the questions ask for speculation on material that has not been covered in class or in the textbook -- you should experiment with Wireshark as much as you can, put together a coherent hypothesis / explanation of what you observe, and clearly report your ideas. Make sure to use appropriate networking terminology in your descriptions. Checkpoint 2 is worth 40 points. For full credit, make sure to thoroughly document your experiments (yep, that means some screenshots!). Procedures 1. Verify that power switch 9 (on the power rail behind the rack) is turned on. If not, turn it on and wait about 5 minutes before proceeding with the next step. PAGE OF VERSION 1.2 1 8
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
LAB 3: NETWORK LAYER CHECKPOINT 2
Lab 3: Network Layer Checkpoint 2Checkpoint 2 consists of some experiments to see the results of Network Address Translation as well as examining another malicious network action. Many of the questions ask for speculation on material that has not been covered in class or in the textbook -- you should experiment with Wireshark as much as you can, put together a coherent hypothesis / explanation of what you observe, and clearly report your ideas. Make sure to use appropriate networking terminology in your descriptions. Checkpoint 2 is worth 40 points. For full credit, make sure to thoroughly document your experiments (yep, that means some screenshots!).
Procedures1. Verify that power switch 9 (on the power rail behind the rack) is turned on. If not, turn it on
and wait about 5 minutes before proceeding with the next step.
PAGE OF VERSION 1.21 8
LAB 3: NETWORK LAYER CHECKPOINT 2
2. Verify that the Netgear switches inside the rack display the numbers 1, 2, 3 and 4.Note that we have two new switches for you to observe this time.
3. Turn on (Restart if it is already on) the PC by powering on switch 8. 4. Make sure the keyboard is on (switch is located on the right side of the keyboard). 5. If power switch 3 is ON, turn it OFF and wait for 5 seconds (Static charge can keep the
device on for a second or 2). 6. Turn on the power switch 3 and wait up to 5 minutes for the hosts to boot and spread
routing information. You should be able to tell from Wireshark if the routing information has spread (you did learn something from checkpoint 1, didn't you?).
7. Connect the blue Ethernet cable to your laptop and start Wireshark. 8. When you are done with the lab, shut down the computer and turn off all the power switches
EXCEPT 9!
Network MappingIn Checkpoint 1, you explored the network and discovered the connections between routers and networks. Hopefully, you understand this information already. But, just in case, this table and figures describe the actual network and may help you for Checkpoint 2.
PAGE OF VERSION 1.22 8
LAB 3: NETWORK LAYER CHECKPOINT 2
PAGE OF VERSION 1.23 8
Router ID AS Protocol Interface IP address
1 2 RIP eth0 2.128.13.1/24
lo1 2.0.0.1/10
2 2 RIP eth0 2.128.23.1/24
lo1 2.64.0.1/10
3 2 RIP eth0 2.128.13.2/24
eth1 2.128.23.2/24
eth2 2.128.34.1/24
eth3 2.128.35.1/24
4 2 RIP, iBGP, eBGP eth0 2.128.34.2/24
eth1 12.0.0.2/8
5 2 RIP, iBGP, eBGP eth0 2.128.35.2/24
eth1 24.0.0.1/8
6 1 BGP eth0 12.0.0.1/8
eth1 13.0.0.1/8
lo1 1.0.0.1/8
7 3 BGP eth0 13.0.0.2/8
eth1 34.0.0.1/8
eth2 3.0.0.1/8
8 4 BGP eth0 24.0.0.2/8
eth1 34.0.0.2/8
eth2 45.0.0.1/8
lo1 4.0.0.1/8
9 5 BGP eth0 45.0.0.2/8
lo1 5.0.0.1/8
10* 3 NAT eth0 3.0.0.2/8
eth1 192.168.3.1/16
Note: NAT Device is not required for Checkpoint 1
LAB 3: NETWORK LAYER CHECKPOINT 2
PAGE OF VERSION 1.24 8
AS4
R7
10*NAT
R8
R6
13.0.0.0/8
AS2 2.0.0.0/10
2.64.0.0/10
iBGP
AS1
1.0.0.0/8
12.0.0.0/8
4.0.0.0/8
24.0.0.0/8
5.0.0.0/8
AS5
R9
45.0.0.0/8
192.168.0.0/16
3.0.0.0/8
34.0.0
.0/8
AS3
lo1
lo1
lo1
eth0
eth1
eth0 eth1
eth2
eth0
eth1
eth2
eth1
eth1
eth1
eth0
eth0
eth0 eth0
R5R4
LAB 3: NETWORK LAYER CHECKPOINT 2
PAGE OF VERSION 1.25 8
R5R4
2.64.0.0/102.0.0.0/10
2.128.
34.0/2
4
12.0.0.0/8
24.0.0.0/8
eth1 eth1
R1 R2
R3
2.128.35.0/24
2.128.13.0/24 2.128.
23.0/2
4eth0
eth0
eth3eth2
eth1
lo1 lo1
eth0
eth0eth0
LAB 3: NETWORK LAYER CHECKPOINT 2
Network Address Translation (NAT)You should understand how a NAT device makes all the traffic from an entire "private" network appear to originate at a single IP address. Most of the NAT complexity is related to matching reply packets and sending them to the proper private host. Let's explore some of that with respect to the 192.168.x.x network. Do the following:
• Use a browser from the PC Desktop to open the most "popular" video streaming site on the network rack. The URL is http://videosite.com. BTW, you can use the cool browser from Lab1 if you like.
• Examine the traffic on either side of the NAT device using Wireshark. Answer the following question: 9. (5 points) What is the NAT device doing to the packets in order to allow you to access the
website? Be sure to describe the outbound and inbound traffic and to speculate on how the NAT device gathers enough information to perform the translation.
In order to understand and explore the limitations of the NAT device, let's do some SSH hopping. Do the following:
• Using the Lab 1 app on the PC, open to 2 ssh connections. One connection is to the raspberry pi at 192.168.1.100 and the other connection to 192.168.1.101 (These pis have been configured to use the NAT as a gateway).
• From each of these ssh sessions, execute another ssh connection to 2.64.0.1, using this command:
ssh -o 'ProxyCommand nc -p 1234 %h %p' [email protected] This command will create a local proxy so the SSH connection can be forced to use the source port 1234.
• Keep those ssh connections open. Type a few commands to make sure they are live. • At this point, you should have two ssh connections going through the NAT to the same
destination with the same source port number. • Examine the traffic on either side of the NAT device using Wireshark.
Use your observations to answer this question: 10. (5 points) What translations are made by the NAT device to achieve both connections?
How does it distinguish inbound traffic and determine which device to send the traffic to? It looks like port numbers are pretty handy. But not all traffic has port numbers. What will the NAT device do if there are no port number? Do the following to find out:
• Use ping to send ICMP packets from both 192.168.1.100 and 192.168.1.101 to 2.0.0.1. You do recall how to control how many pings get sent? Can you ensure pings coming from both sources, at about the same time, overlapped temporally, through the NAT device?
• Use Wireshark to examine the traffic.
PAGE OF VERSION 1.26 8
LAB 3: NETWORK LAYER CHECKPOINT 2
Answer this: 11. (5 points) What translations are made to the ICMP packets? Speculate or determine how
responses are sent to the correct internal address. One more fun NAT query. What happens if the inbound traffic has even less association to the outbound traffic? Do this:
• Close up the ssh connections. • On the PC, open a CMD window (not powershell). • Use the dig command to send a DNS request to the DNS server at 2.0.0.1. (you do
remember how to choose a DNS destination server, don't you?). Ooops. It looks like there isn't a DNS server at 2.0.0.1. Therefore, ICMP error messages will be returned.
Take a look with Wireshark and answer this question: 12. (5 points) How in the world can the NAT device match the ICMP reply, which doesn't have
a port number, to a UDP segment sent from behind the private network? In class, we mentioned one drawback to NAT in that the NAT table only gets updated when a packet is sent from inside the private network. I mentioned the idea of "Port forwarding" as a way to pre-populate the NAT table so that external sources can initiate the connection. There is a raspberry pi that is eagerly trying to send you an image. You should be able to see a TCP SYN segment sent every 5 seconds. Let's start up a server to receive that image. Do the following:
• On the PC, locate a small python script in the folder C:\Users\Public\Public Documents\Lab 3\ named recv_img.py. If you view the folder and hold shift while right clicking, you can open a powershell in that folder. Use the powershell to run
python recv_img.py Now, the PC is listening for a tcp connection on port 5555 and the raspberry pi is trying to create a connection to 5555, but they can't seem to find each other (the reason should be obvious by now).
You need to perform one last action to set up the port forwarding before the connection can be established.
• Use this command to enable the port forwarding. It adds a rule in the NAT to translate packets coming in an INTERFACE with a PORT NUMBER to a PRIVATE IP.
sudo iptables -t nat -A PREROUTING -i <Interface> -p tcp --dport <Port Number> -j DNAT --to-destination <Private IP Address>
13. (10 points) On what host and with what values should you run this command to establish a connection and allow the image to be received? Attach a screenshot of the translated connection. (Hint: Only one host in the entire network will let you run this command)
PAGE OF VERSION 1.27 8
LAB 3: NETWORK LAYER CHECKPOINT 2
BGP Black HolesLet's turn our attention to one last concept: BGP misconfigurations.
Imagine you are a careless network administrator who accidentally takes down a popular video site. If this ever happens to you in real life, don't tell anyone that you took my class.
The video site you loaded earlier (videosite.com) is located at 5.0.0.1. From the network diagram we can see that the 5.0.0.0 network is quite a few hops away. Do the following:
• ssh into the [email protected] • Open a telnet session with the BGP daemon (telnet localhost 2605) • After entering the password (zebra), type en and enter the same password again. • Type configure terminal to set the router to configuration mode • Type router bgp 1 to open the AS1 BGP session on the router (Entering dangerous
territory) • Now all we need to do to change everyone’s routing table is type network 5.0.0.0/8
That’s it! Now AS1 will advertise a route to the 5.0.0.0 network with 1 hop. Use the browser (or the Lab1 app) to open http://videosite.com from the PC.
14. (10 points) How far do you think the fake routing announcement spread? What is the extent of the damage? List all routers who’s forwarding table got changed by the fake message, with a short description of why and how you know.
Turn-inWrite a report of your interactions and answering the questions. Make sure to include enough details to ensure we understand that you understand what is going on. For instance, screenshots should probably be annotated to show where a number came from -- don't assume that because you know how to read a Wireshark screen that we know that you know it. Our graders will not make that assumption. So, prove it to us by describing/annotating every value you find.Turn in your answers in a single PDF file and submit it to the Lab3 Checkpoint 2 “Assignment” on Gradescope.Mark the pages according to the question. Students who fail to mark a question correctly will lose all the points for that question.
PAGE OF VERSION 1.28 8
Related Documents
![Module 8 – Multihoming Strategies Lab · ISP Workshop Lab 3 Checkpoint #1: Call your lab instructor and display the following: i] Output of a “show ip route” and “show ip](https://static.cupdf.com/doc/110x72/604b27f13697d069ef610a88/module-8-a-multihoming-strategies-isp-workshop-lab-3-checkpoint-1-call-your.jpg)
