Open Source Routing, Firewalls and Traffic Shaping
Download
Report
Transcript Open Source Routing, Firewalls and Traffic Shaping
Open Source Routing, Firewalls
and Traffic Shaping
Russell Sutherland
Computing and Networking Services
University of Toronto
[email protected]
Reference URLs for Tree Huggers
This presentation
– http://madhaus.cns.utoronto.ca/~russ/canheit2004/
Routing
– http://www.quagga.net/
– http://www.xorp.net/
– http://latrc.org/
Traffic Shaping
– Linux
http://tcng.sourceforge.net/
– FreeBSD http://info.iet.unipi.it/~luigi/ip_dummynet/
Packet Filtering
– Linux (iptables) http://www.netfilter.org/
– FreeBSD (ipfw) http://www.freebsd.org/
– OpenBSD (pf)
http://www.benzedrine.cx/pf.html
Routing Chronology
1984
BSD 4.2 ships with routed (RIPv1)
1986
Fuzz Ball PDP-11 NSFNet Routers
1988
Age of dedicated routing machines
– Cisco, Proteon, Wellfleet, ACC
1992
Gated Consortium Formed
1996
GNU Zebra
2002
Quagga, XORP
Quagga Routing Architecture
Modular Design
One process per protocol
– bgpd, ospfd, ripd
One main controlling process
– zebra
Extensible
Quagga Architecture Diagram
ospfd
ripd
bgpd
zebra
Unix Kernel Routing Table
Quagga Routing Protocols
RIPv1, RIPv2, RIPng
OSPFv2, OSPFv3
BGP-4, BGP+
BGP route server and reflector
IPv6
Supported RFCs
– 1058 RIPv1, 2453 RIPv2, 2080 RIPng
– 2328 OSPFv2, 2740 OSPF for Ipv6
– 1771 BGPv4, 1965, 1997, 2545 BGPv6, 2796 BGP
Route Reflection, 2858 Multiprotocol extensions,
2842 Capabilities Advertisement
Quagga Supported Platforms
GNU Linux
– Debian, RedHat, SuSE, Slackware
– Kernels 2.2.x - 2.4.x
FreeBSD
– versions 4.x and 5.x
OpenBSD
– version 3.x
NetBSD
– version 1.4
Solaris
– 2.6 and version 7
Hardware Requirements
CPU
Intel 2.0 – 3.0 Ghz
Memory
512MB
Disks
18GB
– RAID-1 (optional)
– SCSI or IDE
Ethernet Interfaces
– 2 x 10/100 Intel, 2 x 10/100/100 Broadcom
Redundancy
– hot spare serves as backup to N production units
Scottish Economics
Router Prices
– Cisco Mid-size
7204VxR, Catalyst 3550
$15k – $32k
– Extreme
Alpine 3800
$31k - $38k
– Foundry
BigIron 4000
$16k
– Intel 2.x Ghz server
Dell 2650, IBM x335
$2.5k - $3.5k
Network Topology
Traffic Shaper
Cogent A [100Mbps]
McL
Skye
Cogent B [100Mbps]
Mull
Internal
Jura
1. UofT A
2. UofT B
3. ResNet
C4 [1000Mbps]
Bute
Touchdown Network
1000 Mbps
External
Network Routing Policy
Three classes of traffic (based on src IP)
– ResNet
– UofT A
– UofT B
ResNet
– to (via TS) Skye to Cogent A
– No C4 transit !!!
UofT A
– to C4 if dst IP == C4 otherwise via Skye to Cog A
UofT B
– to C4 if dst IP == C4 otherwise via Mull to CogB
Network Packet Filtering Policies
Drop all packets with
– spoofed (non UofT) source IP addresses
– non-routable destination addresses
0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8
169.254.0.0/16, 172.16.0.0/12, 192.168/16
etc.
– nasty tcp/udp M$ worm ports (Blaster, Welchia,
etc.)
67, 68, 69, 135, 137, 139
161, 162
445, 593, 707, 1433, 1434, 3127, 4444
– non-assigned UofT subnets
Allow everything else
Network Traffic Shaping Policies
All traffic from a local Redhat ftp site to the
outside world gets a 50 kbps pipe
Peer to peer traffic to and from UofT A&B
gets a 256 kpbs full duplex pipe
– KaZaa
– eDonkey
– BitTorrent
1214
466[12]
6881-6889
ResNet traffic gets conditioned by a
dedicated Traffic Shaper (Packeteer)
Everything else flows freely
Routing Protocols and
Configuration
Jura
– runs OSPF on int. intf. with other UofT routers
– runs BGP on external interface with C4 peer
– contains all UofT and C4 specific routes
Mull
–
–
–
–
runs OSPF on int. intf. with other UofT routers
runs BGP on external interface with Cogent B peer
advertises UofTB routes
defaults points to Cogent B
Skye
– same setup as Mull but with Cogent A
– advertises UofTA and ResNet routes
Quagga Routing Configuration
Command line interface similar to Cisco IOS
C4# conf t
C4(config)# interface eth2
C4(config-if)# description dummy interface
C4(config-if)# ip address 10.1.2.3/24
C4(config-if)# exit
C4(config)# exit
C4#
C4# conf t
C4(config)# router
C4(config-router)#
C4(config-router)#
C4(config-router)#
C4(config-router)#
C4(config-router)#
C4(config)# exit
C4#
bgp 328
bgp router-id 10.1.1.10
network 10.1.1.0/24
redistribute static
neighbor 10.1.1.1 remote-as 999
exit
Quagga Operation
# show ip route
Codes: K - kernel route, C – connected, S – static, O -OSPF
B – BGP, > - selected route, * FIB route
S>* 0.0.0.0/0 [10/0] via 128.100.96.194, disc0
B>* 6.1.0.0/16 [20/0] via 205.211.94.97, yk0, 01w4d03h
B>* 6.2.0.0/22 [20/0] via 205.211.94.97, yk0, 01w4d03h
B>* 6.3.0.0/18 [20/0] via 205.211.94.97, yk0, 01w4d03h
# show bgp neighbors
BGP neighbor is 205.211.94.97, remote AS 549, local AS 239, external link
BGP version 4, remote router ID 205.211.94.253
BGP state = Established, up for 01w4d22h
FreeBSD ipfw Packet Filtering
Native packet filtering interface
Implemented as a multifunction user
command
The packet passed to the firewall is
compared against each of the rules in the
firewall ruleset.
When a match is found, the action
corresponding to the matching rule is
performed and the search terminates.
General syntax
– ipfw [rule number] action [log] body
ipfw examples
Drop all www traffic from a network
– ipfw add deny tcp from 12.12.12.0/24 to www.ubc.ca 80
Drop all telnet traffic from a bad host
– ipfw add deny tcp from bad.host.com to my.host.com 23
Throw away RFC 1918 networks
– ipfw add deny all from 10.0.0.0/8 to any in via fxp0
– ipfw add deny all from 172.16.0.0/12 to any in via fxp0
– ipfw add deny all from 192.168.0.0/16 to any in via fxp0
Allow ssh
– ipfw add allow tcp from any to any 22 in via fxp0 setup
keep-state
ipfw actions
allow | accept | pass | permit
– Allow packets that match rule. The search ends.
deny | drop
– Discard packets that match rule. The search ends.
fwd | forward ipaddr[,port]
– Change the next-hop on matching pckts to ipaddr
pipe N
– Pass packet to a dummynet(4) for bandwidth
limitation. [ conditionally end or continue ]
count
– Update counters for all packets that match rule.
The search continues with the next rule
Traffic Control Concepts I
Set of mechanisms to condition net traffic
Examples
– raise priority of some kinds of traffic
– limit the rate at which traffic is sent
– block undesirable traffic (same as packet filtering)
TC is done at the network interface
– ingress (traffic entering an interface)
limited set of functions (classifying, dropping)
– egress (traffic leaving an interface)
full range of functions available
queueing
Traffic Control Concepts II
Classification
Queueing
Scheduling
Traffic Control Concepts III
Classification
– looks at packet content and assigns each to one
or more classes.
Queueing
– stuffs incoming packets into storage silos based
on class
Scheduling
– transmitting packets in queues based upon
priority
Queueing and Scheduling are often
combined into queuing disciplines
Traffic Control Concepts IV
Common Queueing Disciplines
– simple drop tail (FIFO)
stores and emits packets in order which they arrive
– Random Early Detection (RED)
starts dropping packets already before reaching
maximum queue size
– Token Bucket Filter (TBF)
shapers that emits packets at a fixed rate
– Priority Scheduler (PQ)
emits packets in higher priority classes before
packets in lower priority classes
– Weighted Fair Queueing (WFQ)
assigns an independent queue for each flow
a weight can be defined for each queue
FreeBSD Dummynet Features
Integrated with ipfw to classify packets
Can be used equally well on egress/ingress
Abstractions/features
– pipes
fixed bandwidth channels
variable queue size, delays, random packet loss
– queues
queues of packets
weighted
share bandwidth of pipe they are associated with
proportionally to their weight
WF2Q+ used for queuing discipline
Dummynet Examples
Limit WWW traffic to 100Mbps
ipfw pipe 1 config bw 100Mbit/s
ipfw add pipe 1 ip from any to any dst-port 80
Prefer ssh to telnet traffic
ipfw
ipfw
ipfw
ipfw
ipfw
pipe 2 config bw 256kbit/s
queue 1 config pipe 2 weight 7
queue 2 config pipe 2 weight 3
add queue 1 ip from any to any dst-port 22
add queue 2 ip from any to any dst-port 23
Rate limit each network host's upload rate
ipfw pipe 3 config mask src-ip 0x000000ff bw
16kbit/s queue 8Kbytes
ipfw add pipe 3 ip from 12.18.123.0/24 to any out
via xl0
Routing Policy Using ipfw
All ResNet traffic forwarded directly to Skye
– ipfw add fwd $skye from $resnet to any in recv $uoft_if
Block spoofed packets
– ipfw add allow all from $uoftnet to any in recv $uoft_if
– ipfw add deny in recv $uoft_if
Block bad packets (M$ worms etc.)
– for i in 67-69 135-139 161 162 445 593 707 4444
do
– ipfw add deny udp from any to any $i
– ipfw add deny tcp from any to any $i
done
C4 traffic follows specific routes from BGP
Routing Policy Using ipfw Cont.
Block all traffic to non-defined UofT addrs
– ipfw add deny all from any to $uoftnet out xmit $def_if
Partition UofT A/B traffic to Skye/Mull
– add fwd $skye all from $uoftA to any out xmit $def_if
– add fwd $mull all from $uoftB to any out xmit $def_if
Traffic Shaping
– limit RH ftp server
ipfw pipe 1 config bw 50Kbit/s
ipfw add pipe 1 ip from $rhftp to any in recv $uoftif
– limit peer to peer
ipfw pipe 2 config bw 256 Kbit/s
ipfw add pipe 2 ip from $uoftA to any dst_port
1214,4661,4662
Linux Packet Filtering: iptables
Similar to ipfw in functionality and use
User based command line interface
Syntax
– iptables rule-action table name conditions action
Very rich set of conditions and actions
Extensible modular actions
More complicated in concept than ipfw or pf
hierarchy: tables -> chains -> rules
three default tables with default policies
– filter, nat, mangle
Linux iptables Anatomy Ingress
Network Interface
Contrack
mangle
IMQ
nat
PREROUTING
QOS Ingress
INPUT ROUTING and RPDB
INPUT
FORWARD
mangle
filter
LOCAL PROCESSES
mangle
filter
REMOTE IP ADDR
Linux iptables Anatomy Egress
LOCAL PROCESSES
OUTPUT ROUTING
contrack
mangle
nat
filter
REMOTE IP ADDR
OUTPUT
mangle
nat
IMQ
QOS Egress
Network Interface
POSTROUTING
iptables examples
Drop all www traffic from a network
iptables -A FORWARD -p tcp –dport 80 -s 12.12.12.0/24
-d www.ubc.ca -j DROP
Drop all telnet traffic from a bad host
iptables -A INPUT -p tcp -s bad.host.com -d my.host.com
–-dport 23 -j DROP
Throw away RFC 1918 networks from inside
iptables -A FORWARD -s 10.0.0.0/8 -i eth0 -j DROP
iptables -A INPUT
-s 10.0.0.0/8 -i eth0 -j DROP
iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -i eth0
-j DROP
Allow ssh and keep state
iptables -A FORWARD -p tcp –dport 22 -i fxp0 -m state
state NEW,ESTABLISHED -j ACCEPT
-–
Linux Routing – Multiple Tables
Multiple routing/forwarding tables
Three fixed prefined tables
– local
– main
– default
Each table is assigned a priority number
–
0
– 32766
– 32767
local
main
default
match is sought starting with highest
priority tables (local -> main -> default)
Linux Routing Policy Database
Traditional Routing
Routing Policy Database
(RPDB)
Destination IP Address Destination IP Address
Type of Service
Source IP Address
Type of Service
Iptables FW mark
Linux Traffic Control: tc
Uses queueing disciplines for managing
bandwidth
Largely concerned with data being sent
rather than received.
Classless queueing disciplines
– reschedule, drop or delay
– applied to the bulk interface
– pfifo_fast
default, can't be changed
– TBF (Token Bucket Filter)
passes traffic up to a fixed rate
drops the rest
allows short burst in excess of fixed rate
tc: Classless qdiscs
SFQ (Stocastic Fair Queueing)
– Traffic split into large number of FIFO queues, one
per flow
– Traffic gets sent/serviced in a round robin fashion,
giving each flow a chance to sent its data.
– Leads to fair behaviour
– prevents one flow from hogging all the
bandwidth
– only really useful when the link is full
RED (Random Early Detection)
– drops packets statistically before queues are
full
– leads to a congested link to slow more
gracefully
tc: Classful qdiscs
Used when different types of traffic need
different treatment.
CBQ (Class Based Queueing)
– very complicated to set up and tune
PRIO
– classify and traffic into a number of bands each
with its own priority.
u32
– used as the tool to classify the traffic into sub
queues
– based on actual offset of information in the IP
header
Linux: tcng
tc syntax is very complicated both in setting
up the qdisc's and classification
tc qdisc add dev eth0 root handle 1:0 prio
tc qdisc add dev eth0 parent 1:0 protocol ip u32 match
ip protocol 6 ff match tcp dst 50 ffff classid 1:1
tc qdisc add dev eth0 parent 1:3 handle 30: sfq
tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32
match ip sport 80 0xffff flowid 1:3
tcng was created as a higher level tool
–
–
–
–
simple to configure
more natural language to set up classes and qdisc
compiles to tc or “C”
comes with a simulator
tcng: Example Input
dev “eth0” {
egress {
class (<$high>) if tcp_port == 80;
class (<$low>) if 1;
prio {
$high = class {
tbf(limit 10kB, rate 20kbps,
burst 2kB, mtu 1500B);
$low = class {
fifo(limit 30kB)
}
}
}
}
tcng: Example Output
tc qdisc add dev eth0 handle 1:0 root dsmark indices 4 default_index 0
tc qdisc add dev eth0 handle 2:0 parent 1:0 prio
tc qdisc add dev eth0 handle 3:0 parent 2:1 tbf burst 2048 limit 10240 mtu 1500 rate 2500bps
tc qdisc add dev eth0 handle 4:0 parent 2:2 bfifo limit 30720
tc filter add dev eth0 parent 2:0 protocol all prio 1 tcindex mask 0x3 shift 0
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 2 tcindex classid 2:2
tc filter add dev eth0 parent 2:0 protocol all prio 1 handle 1 tcindex classid 2:1
tc filter add dev eth0 parent 1:0 protocol all prio 1 handle 1:0:0 u32 divisor 1
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u8 0x6 0xff at 9 offset at 0 mask 0f00
shift 6 eat link 1:0:0
tc filter add dev eth0 parent 1:0 protocol all prio 1 handle 1:0:1 u32 ht 1:0:0 match u16 0x50 0xffff at 2
classid 1:1
tc filter add dev eth0 parent 1:0 protocol all prio 1 u32 match u32 0x0 0x0 at 0 classid 1:2
Routing Policy Using Linux
Routing Tables
–
–
–
–
–
0:
100:
1000:
2000:
32767:
from
from
from
from
from
all lookup local
142.151.0.0/16 lookup resnet
all lookup main
142.150.0.0/16 lookup uoftA
all lookup default
resnet contains a single default to syke
uoftA contains a default to skye
default contains a default to mull
main contains all the C4 routes
Linux Traffic Shaping Policy
dev eth1 {
egress {
class ( <$rhftp> ) if ip_src == 128.100.17.10;
class ( <$p2p> ) if ( (tcp_dport == 1214 ||
tcp_dport == 4661 || tcp_dport == 4662) &&
ip_src:16 == 128.100.0.0 );
class ( <$high> ) if 1 ;
htb () {
class ( rate 100Mbps , ceil 100Mbps ) {
$rhftp = class ( rate 50kbps, ceil 75kbps );
$p2p = class ( rate 256kbps, ceil 325kbps );
$high = class ( rate 90Mbps, ceil 100Mbps );
}
}
}
}
OpenBSD packet filtering
pf runs as the native packet filtering engine
similar in syntax to ipfw
traffic shaping (ALTQ) integrated with pf
BSD only supports one main routing table
pf (like ipfw) supports a forwarding action
to explicitly forward a packet
URLs
– www.openbsd.org
– www.csl.sony.co.jp/person/kjc/software.html
– www.benzedrene.cx/pf.html
Results and Conclusions
OSS Routers in service for > 18 months
Scaled easily from 1 to 3 machines
Currently running
– FreeBSD 4.x, 5.x, dummynet, ipfw
Will be moving to Linux in next 3 months
Standard network monitoring via SNMP
CPU running < 40%
OSS is a viable option for policy based
routing and shaping at the edge