Networking II
Download
Report
Transcript Networking II
Computer Networks II
By: Ing. Hector M Lugo-Cordero, MS
What is a network?
• Collection of computers interconnected to
share resources
• A network does not mean Internet access
• Exposes security issues
OSI Model Layers
•
•
•
•
•
•
•
Physical (repeaters/hubs): signals
Data Link (bridges/switches): frame
Network (routers/L3switches): packet
Transport: segment
Session
Presentation
Application: data
Network Layer
• Is responsible of two tasks:
– Pre-routing: creates optimal routes from one end
node to another storing them in a routing table
– Post-routing: communicates data through the
network using IP Address (Postal Office)
• Communication pattern
– Unicast: one source, one destination
– Multicast: one source, multiple destination
– Broadcast: one source, all destination
IP Addresses
• Identify nodes in a network in combination with the subnet mask
• Is divided into classes, each one has some private ranges
– A (1 – 127)
• Private: 10.x.x.x and 127.x.x.x (localhost)
• Default subnet mask: 255.0.0.0
• 24.0.0.0/8 Cable Television Networks
– B (128 – 191)
• Private: 172.16.x.x – 172.31.x.x
• Default subnet mask: 255.255.0.0
– C (192 – 223)
• Private: 192.168.x.x
• Default subnet mask: 255.255.255.0
– E (240 )
• Reserved for future use
Multicast IP Addresses
• Class D (224 – 239)
– 224.0.0.0 – 224.0.0.255 (Reserved)
• 224.0.0.5 (OSPF Routers)
• 224.0.0.6 (OSPF Designated Routers)
• 224.0.0.9 (RIP Routers)
– 224.0.1.0 – 238.255.255.255 (global)
– 239.0.0.0 – 239.255.255.255 (local)
• A widely used multicast protocol is
– Protocol Independent Multicasting (PIM)
– Uses multicast address 224.0.0.13
Sub-netting
• Sub-netting is using host bits to create
subnets
• Increases the number of networks that can
exist
• Good if we want a lot of networks and
fewer hosts
Super-netting
• Super-netting is using network bits to
increase the number of hosts
• Good if we have a single network and
need to increase its size to support more
hosts
• Good in combination with vlans
• Used in our department
Interface Configuration (Cisco)
• Router (config)# interface
<interface_name> <interface_number>
• Router (config-if)# duplex full
• Router (config-if)# speed 100
• Router (config-if)# ip address <address>
<netmask>
• Router (config-if)# no shutdown
• Router (config-if)# no keep-alive
NAT/PAT
• Network Address Translation
• Enables address translation from one interface
to another
– Typically this translation is from private to public for
local computers accessing the Internet
• When overloaded uses one single IP for many
computers by changing the source port
– Known as Port Address Translation
NAT/PAT Configuration (Cisco)
• Static:
– ip nat source static <addr> <new_addr>
– ip nat source static network <addr> <new_addr>
• Dynamic:
– ip nat pool <NAME> <start_addr> <end_addr>
netmask <mask>
– ip nat source list <acl_num> pool <NAME>
[overload]
• The overload command is used to configure PAT
• Then go to interface and say if it is inside or outside
– Router (config-if)# ip nat <inside> | <outside>
Routing Protocols
• Routing Information Protocol (RIP)
– 224.0.0.9
• Open Shortest Path First (OSPF)
– 224.0.0.5 and 224.0.0.6
• Optimal Link State Routing (OLSR)
– Ports 698 and 255.255.255.255 (limited broadcast)
• Ad hoc On-Demand Distance Vector (AODV)
– Used on ZigBees Modules (IEEE802.15.4)
Routing Configuration (Cisco)
• Router (config)# router rip
• Router (config-router)# network
<base_address>
• Router (config-router)# version 2
• Router (config-router)# end
• Router # show ip route
• FOR STATIC ROUTE USE:
– Router (config)# ip route <dest_address>
<dest_mask> <next_hop> | <if_name>
Sub-Interfaces
• Enable having multiple interfaces on one
single router port
• Useful for interconnecting vlans
• Physical properties of the interface must
be configured in the main interface (e.g.
speed, duplex, no shutdown)
Sub-Interfaces Configuration
(Cisco)
• Router (config)# interface fa 0/0.1
• Router (config-if)# ip address <addr>
<mask>
• Router (config-if)# encapsulation dot1Q #
• Router (config-if)# no shutdown
Router Security
• Remote login
– Set password on all vty interfaces
– Some routers allow TELNET as well as SSH remote
sessions
• Firewalls
– Control what kind of traffic passes through you
network
– Access Control Lists (Cisco)
• 1 – 99 and 1300 – 1999 (standard ACL)
• 100 – 199 and 2000 – 2699 (extended ACL)
• 700 – 799 and 1100 – 1199 (MAC ACL)
– Iptables (Linksys with Openwrt)
ACL Configuration (Cisco)
• Standards (can only evaluate source)
– Apply it as close to the destination as possible
– For a specific host
• Router (config)# access-list <num> [deny | permit] host
[address | hostname]
– For a network
• Router (config)# access-list <num> [deny | permit] [address |
hostname] [wildcard]
• Can be used for specific host
– In general
• Router (config)# access-list <num> [deny | permit] any
• There is an implicit deny any at the end of all ACLs
ACL Configuration (Cisco)
• Extended (source and destination)
– Apply it as close to the source as possible
– For a specific host
• Router (config)# access-list <num> [deny | permit] [proto] host
[address | hostname] [info for destination optional] [lt |gt | eq | neq]
– For a network
• Router (config)# access-list <num> [deny | permit] [proto] [address |
hostname] [wildcard] [info for destination optional] [lt |gt | eq | neq]
• Can be used for specific host
– In general
• Router (config)# access-list <num> [deny | permit] [proto] any [info
for destination optional] [lt |gt | eq | neq]
• There is an implicit deny any at the end of all ACLs
ACL Configuration (Cisco)
• MAC (evaluates the MAC address)
– Apply it in the same network where the node
is connected, since mac are local addresses
– Router (config)# access-list <num> [deny |
permit] <mac_addr>
ACL Configuration (Cisco)
• Applying ACLs
• Go to the interface and type
– Router (config-if)# access-group <num> [in | out]
• If interface is vty (TELNET)
– Router (config-line)# access-class <num> [in | out]
• Important to know
– Applying an ACL that is not created does nothing, all
traffic is accepted
– Applying an empty ACL blocks everything, remember
the implicit deny any
iptables Configuration (Linksys)
• iptables [-t table] command [match]
[target/jump]
– -t table is used to specify the table to be
configured, if none then filter table is used
• iptables –P FORWARD DROP
– -P flag set the default policy in case no rule is
matched
iptables Configuration (Linksys)
• Commands
–
–
–
–
–
–
–
–
-A is for appending a new rule to a chain
-D is for deleting a new rule from a chain
-L list all rules on a chain
-F flushes a specific chain
-N creates a new chain on the specified table
-X removes a chain from a table
-E rename chain
-P set default action for a chain
• Built in chains
– input, output, forward, prerouting, postrouting
iptables Configuration (Linksys)
• Matches
– -p protocol (e.g tcp, udp, icmp)
– -s source ip
– -d destination ip
– -i in interface
– -o out interface
– -sport source port
– -dport destination port
– -mac-source source mac
iptables Configuration (Linksys)
• Jumps/target
– -j ACCEPT
– -j DROP (it is better to use reject)
– -j REJECT
• -reject-with
–
–
–
–
–
–
–
icmp-net-unreachable
icmp-host-unreachable,
icmp-port-unreachable
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited
tcp-reset
iptables Configuration (Linksys)
• Examples
–
–
–
–
–
iptables –F INPUT
iptables –P INPUT ACCEPT
iptables –A INPUT –dport 23 –j REJECT
Blocks all incoming telnet traffic
iptables –A INPUT –s 10.0.0.1 –dport 23 –j
ACCEPT
– Accepts all incoming telnet traffic from 10.0.0.1,
we should put this first
• For more on protocols and services
– /etc/protocols
– /etc/services
Wireless Mesh Networking
• Configure mesh router in ad-hoc mode
• Install routing protocol such as OLSR on
router
• Terminal nodes should be in ad-hoc mode
as well
Wireless Mesh Networking
Router
PC
In Linux may also use:
sudo iwconfig eth1 mode ad-hoc
IPv6
• New IP family with more ip addresses
–
–
–
–
128 bits instead of 32
Hex notation instead of decimal notation
Travels using ip tunnels
Router (config-if) # ipv6 …
• Does not require MAC layer header
– IPv6 link local address is derived from MAC address
Step 1
Step 2
OSPFv3
• OSPF version for the IPv6 family
• Is configured inside of the interface
– Router (config-if)# ipv6 ospf area <area_number>
• Need to configure another ip routing
protocol (e.g. ospf, rip)
• Need to activate ipv6 routing in global
configuration mode
– Router (config)# ipv6 unicast-routing
Transport Layer
• Ensures connectivity between two end
nodes independent of their route
• Uses ports (doors) to keep connectivity
• Two protocols are widely used
– User Datagram Protocol (UDP)
– Transport Control Protocol (TCP)
Transport Protocols
• UDP uses datagram connection to send
information faster but does not guarantee
delivery and end node has to put
segments in order
• TCP uses virtual circuit ensuring that all
segments arrive at destination and in
order, however it takes more time. Uses
triple handshake
Protocols Implementation
• Stop and wait protocol
– Wait for an ACK before sending the next packet
– Slow procedure
• Window protocol
– Send a sequence of frames and if retransmission is
made retransmit from ACK number forward
– Does not retransmit frames with id less than ACK
number
– More common type of transport protocol (e.g. TCP)
Port Forwarding
• Transport layer technique that involves
transferring segments from one port to
another so that the other port deals with it
– Ex. Pass from port 80 (http) to 21 (ftp)
Port Numbers
•
•
•
•
•
•
•
•
•
•
•
•
•
•
FTP TCP 20, 21
SSH TCP 22
TELNET TCP 23
SMTP TCP 25
DNS UDP 53
DHCP UDP 67, 68
TFTP UDP 69
HTTP TCP 80
MYSQL TCP 3306
RTP UDP 5004
RTCP UDP 5005
VoIP UDP ≥ 1024
IPTV UDP ≥ 1024
Online Games UDP ≥ 1024
Applications
• Session Layer is in charge of scheduling in
a multi-user computer who utilizes the
network
• Presentation Layer is in charge of
formatting the data depending on the
application (JPG, MP3, DOC, etc)
• Application Layer is in charge of providing
interaction with users
Dynamic Host Configuration
Protocol (DHCP)
• Is able to pass multiple parameters to
nodes
– IP Address
– Subnet Mask
– Default Gateway
– DNS Servers, etc.
File Transfer Protocol (FTP)
• Application protocol for downloading files
• Uses two TCP ports
– 20 for establishing connection
– 21 for downloading the file itself
• It has a faster but less reliable version for
UDP called TFTP (Trival FTP)
– Uses port 69
Domain Name Service (DNS)
• Translates computer names to ip
addresses
• Makes networks, websites and
servers/hosts easier to remember
• Uses UDP port 53
Telecommunications Network (Telnet)
vs Secure Shell (SSH)
• Both enable remote control of a machine
• Telnet is not secure
– telnet rumad.uprm.edu
– tcp port 23
• Secure shell uses encryption to send data
– ssh rumad.uprm.edu?
– tcp port 22
Packet Sniffer
• A network tool that allows a network
administrator to monitor what kind of traffic
is passing through the network
• Can sniff through different interfaces and
log the results
• Can apply filters to the packets
• Can analyze packets by layers
Ping
• A network tool to test connectivity with a
remote host (all the way up to the
application layer)
• Should be the first thing to be checked
(after the power and cable of course)
• Can be used for a denial of service attack
• Some routers have extended ping
Traceroute
• A network tool that allows the
administrator to see hop by hop how to
reach a destination and know where the
connectivity is being lost