Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Network Administration Grégory Mounié SCCI - Master-2 <2013-09-17 mar.> 1 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Outline Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS 2 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS 3 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Challenge For people with sufficient background: easy Chat on google talk (or facebook) with XMPP on wifi-campus/eduroam of the campus hard Surf on ipv6.google.com on wifi-campus/eduroam of the campus 3 / 75
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Network Administration
Grégory Mounié
SCCI - Master-2
<2013-09-17 mar.>
1 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Outline
Introduction
IP addresses
Toward IPv6
Host name
Routing
Services
Integration between different OS
2 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Introduction
IP addresses
Toward IPv6
Host name
Routing
Services
Integration between different OS
3 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Challenge
For people with sufficient background:easy Chat on google talk (or facebook) with XMPP on
wifi-campus/eduroam of the campushard Surf on ipv6.google.com on wifi-campus/eduroam of
the campus
3 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Networks
Definition (network)group of interconnected machines
Definition (Internet)
• network of networks• based on TCP (Transmission Control Protocol) and IP(Internet Protocol) protocols
4 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Networks of networks
Figure : Interconnection of networks
5 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
TCP/IP
Internet Protocol
• identifies network interfaces• handles routing• fragmentation of data into packets
Transmission Control Protocol
• transmissions in connected mode• error corrections, packets arriving in order
6 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IP address
• unique number identifying a Network interface• eg. IPv6: 2a00:1450:4009:804::1007;
• fe80::2677:3ff:fe2e:22c0/64 : 64 bits network ID• 255.255.255.0 : mask for IPv4 class C network• 255.0.0.0 : mask for IPv4 class A network• 255.128.0.0 : IPv4 mask: 9 bits for network, 23 bits for hosts
10 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Special IPv4 addresses
• 0.0.0.0 : this host, or default• 0.host : un host of the local network• 255.255.255.255 : local broadcast• PrefixNet.[1]+ : local broadcast• PrefixNet.PrefixSubnet.[1]+ : idem• 127.x.x.x : loopback• 10/8, 172.16/12, 192.168/16 : private network• 169.254.x.y : zeroconf (bonjour) autoconf (for local usageonly)
12 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Basic configuration
• ifconfig command• ifconfig -a : list all available interfaces• ip command• ip link; ip addr
ifconfig eth0 add 2a00:1450:4007:803::1017/64ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up
13 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
From IPv4 to IPv6
• IPv4 name adress space is too small.• Transition path was planned with the IPv6 standard (RFC2460, 1998):
• Dual stack public IP address during the transition
Planned transition failure
• Nobody has done the transition.• All plan used double stack strategies.• No public IPv4 address anymore (IANA: 3 fev 2011 !) !
14 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IPv4 is a zombieIPv4 was dead long time ago !
• In 1993, IPv4 become classless : remaining C networks weregrouped in (21 bits, 2048 hosts) networks and distributedgeographically :
• Europe : 194-195.x.x.x• America : 198-199.x.x.x• Asia : 202-203.x.x.x
Large usage of private networks (NAT)
• Major architecture change.• One-way Internet connection for personal use: 1 public IPaddress per your DSL box (your CPE: customer premisesequipment)
• New services and protocols become undeployable !• Mobile phone routing (how to route efficiently multiple privatenetwork ?)
15 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IPv4 is a zombie II
Early adopters have a lot of remaining addresses
• people with competences have plenty of IPv4 adresses:• eg: recent wifi-campus and eduroam give one IPv4 address
per connected student
• people without enough IPv4 address have not the competenceto manage IPv6 network
16 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IPv4 is a zombi III
NAT Zoo
• NAT44 : your home, your phone network• NAT 444 : asia and africa : not a single public IP anymore !• NAT 64 : early adopters• NAT 66 : NAT lovers• NAT 464 ou 646 ??
17 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Is IPv6 ready ?Big software are ready. (Chicken and eggs problem for smallsoftware)
http://www.google.com/ipv6/statistics.html
• 2% of google access (France 5%, Germany 4.5 %, Romania7.5%)
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Host names
• needed for human readable names• IP address may change ⇒ name does not change• association between names and addresses• several names can be associated to the same address• several address can be associated to the same name
Host name versus authenticationA host name and its associated IP, are not sufficient asauthentication !
20 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
URL
• Uniform Resource Locator
21 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
• heavy use of caching• slow propagation of changes (up to several days)• different addresses may be seen for a name if requests originate
from different places
Host name versus authenticationA host name and its associated IP, are not sufficient asauthentication !
22 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Address resolving
different mechanisms
• configuration in /etc/nsswitch.conf• DNS servers IP : /etc/resolv.conf• /etc/hosts : list of known hosts• may be the cause of process stall
23 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
DNSSEC
• No security in the original design ⇒ forged address byman-in-the-middle attack
• Digitally sign the record with public key cryptography and achain of trust (subdomain key is recursively authenticated byits domain, the root are trusted)
24 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Private Network is not a protection• private IP ⇒ no direct connection from Internet
• still indirect connection are possible
Browser + DNS attack
1. Browsers download web pages including javascript code2. Javascript code can connect only with the server3. the server IP is given by the DNS of the server4. the DNS of the server may choose a small timeout for the
caching of the resolution5. the DNS may answer a different address at the second
resolution6. the DNS answer may include a private IP adress7. Javascript may connect to any local computer with private IP
(eg. your DSL box and its configuration)
25 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Routing
• routing handled by the IP protocol• routes are found from neighbors to neighbors• possibility of several routes from source to target• routes could be asymmetric• bugs: cycle, sink, half-broken routes, . . .
• mechanisms to destroy packets (TTL)• mechanisms to inform sender of the troubles (ICMP)
26 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Example of bad routing (real case I)
• Not enough ethernet plug in an office ⇒ add a 10 eurosswitch in the office
• Wait some time ⇒ the switch is connected with two of itsports to two plugs
• enjoy your slow network due to packet loop of every broadcastpacket
Cables are the problemCables are always the problem.
27 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Example of bad routing (real case II)• Security is important, thus ICMP is filtered.• Somebody needs of a large bandwidth between two cities ⇒multiway connection with automatic load-balancing
• somebody check the performance: it is working !• One of the way become broken (somebody change routingsomewhere in the path, or unplug a cable)
• High loss rate of TCP packets ⇒ slow but working TCPconnections.
• End point observation of the traffic is quite normal (no ICMPerror packet reported)
• Wait months, or years, before somebody really check again theperformance and spot the problem.
ICMP filteringNetwork are complex ! ICMP packets are important ! FilteringICMP increase the difficulty to debug any problem.
28 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IP headers
29 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IPv4 headers
30 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Routing tables
• on each host : a table indicating to what network interface apacket should be routed
• many possible destinations ⇒ table contains generally networkaddresses rather than hosts addresses
• table displayed and configured by the ip or the routecommands
31 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
ip=/=route
• man ip• ip route add 2a00:1450:4007:803::/64 dev eth0• man route : good for common tasks (examples)• route : displays routing table• route add -net 2a00:1450:4007:803::/64 dev eth0• route add -net 192.56.76.0 netmask 255.255.255.0dev eth0
• route add default gw univ-gw
32 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Traceroute6~> $ traceroute6 ucla.edutraceroute to ucla.edu (2607:f010:3fe:101:0:ff:fe01:32), 30 hops max, 80 byte packets1 2a01:e35:2433:1510::1 (2a01:e35:2433:1510::1) 3.444 ms 3.396 ms 3.377 ms2 * * *3 th2-crs16-1.intf.routers.proxad.net (2a01:e00:2:d::1) 47.402 ms 47.418 ms 47.402 ms4 bzn-crs16-1-be2000.intf.routers.proxad.net (2a01:e00:1:6::1) 47.415 ms 47.398 ms 47.381 ms5 londres-6k-1-po101.intf.routers.proxad.net (2a01:e00:1:a::2) 68.444 ms 70.827 ms *6 2a01:5d8:e000:0:401:402:0:2 (2a01:5d8:e000:0:401:402:0:2) 65.581 ms 48.089 ms *7 20gigabitethernet1-3.core1.ams1.ipv6.he.net (2001:7f8:1::a500:6939:1) 53.755 ms 53.701 ms 53.684 ms8 10gigabitethernet1-4.core1.lon1.he.net (2001:470:0:3f::1) 53.668 ms 53.653 ms 64.754 ms9 10gigabitethernet7-4.core1.nyc4.he.net (2001:470:0:128::1) 127.037 ms 116.096 ms 113.389 ms
10 10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10e::1) 199.101 ms 192.953 ms 187.097 ms11 lax-hpr--he-peer.cenic.net (2001:468:e00:801::1) 187.047 ms * *12 dc-lax-core2--lax-px1-10ge-2.cenic.net (2607:f380::118:9a42:e981) 191.549 ms 191.456 ms 197.117 ms13 2607:f380::118:9a42:e871 (2607:f380::118:9a42:e871) 190.425 ms * *14 * * *15 2607:f010:bff:f012:0:ff:fe00:1 (2607:f010:bff:f012:0:ff:fe00:1) 235.370 ms 224.552 ms 193.341 ms16 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 188.900 ms 192.547 ms 192.536 ms17 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 3194.885 ms !H * *
33 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
BGP
• Border Gateway Protocol (RFC 1771)• communication of routing tables between ISP• autonomous systems• dampening• openbsd implementation : openbgpd
34 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
ARP protocol
• IP : high level protocol• network card : mainly ethernet protocol• correspondence between MAC addresses and IP addresses:
• Very usefull ⇒ Address Resolution Protocol, part of IPv6(ARPv6)
35 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
ARP table
# ip neighfe80::207:cbff:fec3:6fd dev wlan0 lladdr 00:07:cb:c3:06:fd router STALE192.168.1.254 dev wlan0 lladdr 00:07:cb:c3:06:fd STALE# arpAddress HWtype HWaddress Flags Mask Iface10.6.8.254 ether 00:07:EC:CD:18:CA C eth2
36 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
External connections
• use of a gateway• a gateway binds two different networks
37 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Two network cards
• eth0 and eth1 in two different networks• host acting as a gateway• other hosts modify their routing tables• activate forwarding• echo 1 > /proc/sys/net/ipv4/ip_forward
38 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Masquerading/NAT
• we lie on origin of all outgoing packets• packets will be tagged as coming from gateway• goal : connecting a subnet by using only 1 IP address• gateway in charge of correspondences
• note: the connected subnet should be a local network(192.168.X.X)
• similar usage: 4-to-6, 6-to-4, 4-to-4-to-4, 6-to-6-to-6
39 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Masquerading
• Masquerading-Simple-HOWTO• iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE• iptables will be presented in details in following courses
40 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Useful commands
• netstat : lists active sockets• lsof : lists processes using sockets• telnet : sending data interactively• netcat : like cat for network
41 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Several ways to select the IPv6 address
1. static address (by hand or configuration file)2. Router Advertisement and automatic selection of the machine
ID (SLAAC)3. DHCPv6
42 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Several ways to select the IPv4 address
1. static address (by hand or configuration file)2. DHCP3. Zeroconf/autoconf (IPv6 link-local for the poor IPv4 guy)
Zeroconf/autoconf
1. choose randomly a IP in 169.254.x.y range2. Ask using ARP (broadcast) if somebody use it3. If no answer comes, use it and defend it against following ARP
request.
43 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Services
Servers are executed as daemons
Examples of services
• print server• web server• ftp server• game servers• . . .
44 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Port number
• different services on one host• how to differentiate them ?
• port number• one service = one port + one protocol• standard numbers (web=80, . . . )• entry points on a host
Port number are not part of IPWorking on port number ⇒ understand the transport protocol
45 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
TCP communications
Client side 1. create a socket2. connect to remote host on given port3. connection accepted or refused4. communications following protocol
Server side 1. create a socket2. bind socket to given port3. accept or refuse incoming communications
46 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Common services
Services are commonly using well-known port numbers(/etc/services)
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Others protocols than TCP
• UDP : IP + port number• SCTP : TCP with messages, multiple streams, multi-homing,4 ways handshake
• DCCP : UDP with TCP-like connection for congestion control(no resend of lost packet)
48 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
DHCP server
• centralize network configuration• configures IP addresses, routing tables, DNS servers• server : dhcpd• client : dhchcd, pump, dh_client
• communication by broadcast
Fully integrated in IPv6 (DHCPv6)
49 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Web server
• usually apache (51%; Netcraft Survey)• many other servers (30+; 11%)• IIS (20%), nginx (15%), caudium, yaws, araneida, boa• installation from packages• configuration files in /etc/apache2• many different modules
50 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Proxy server
56 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Some web proxies
• squid• caching proxy
• junkbuster• removes advertising from web pages
57 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
TOR
58 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Heterogeneous networks
Lots of different OS in the same network:
• Linux (300 versions) + freebsd +macOS X (2-3 versions) + VariousUnixes + Windows NT + WindowsXP + Windows 2000 Server +Windows Vista + Windows 7 +Windows 8
• . . .
59 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Goals
• network ⇒ sharing of resources• printers• files• zip drive, backup services• . . .
• sharing access to internet• gateway + masquerading
60 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Structure
61 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
IP network
• easy to put in place• standard protocol• available on all systems• immediate interconnection
• resources sharing ?• unix standards• efficient• not (easily) compatible with windows
62 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
File sharing
• NFS (Network File Sharing)• server exports file systems• client mounts remote file systems• completely transparent• kernel or user-space driver• simple configuration compare to other solution
(NFSv4+Kerberos vs AFS ?)
63 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Printers• cups, one daemon per host, implementing a three stepssystems:1. scheduler/spooler for collecting and routing documents2. filter for converting the document into the language of the
printer3. backends (ipp, http, ftp, usb)
• /etc/cups/cupsd.conf• all daemons are communicating• Web interface (http://localhost:631)
In case of problem, add a level of indirection
• To avoid to set up the list of printer on all computer, thedaemons exchange theirs known list of printers.
• To avoid to set up the printer driver on all computer, translatethe document format to the printer language if different.
64 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
Other devices
• often NFS is sufficient (e.g. for ZIP drive)• special services for some devices:
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS
LDAP
• LDAP is similar to NIS• TLS connection• storing X.500 tree of attributes/values• ldap/ldaps port 389/636• eg. dn:uid=toto,ou=people,dc=example,dc=org
68 / 75
Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS