Brief overview about topics discussed on chapter 13.
I do not include most of FreeBSD parts.
The major players on Internet governance:
- ICANN (Internet Corporation for Assigned Names and Numbers): controls the allocation of Internet addresses and domain names, along with various other snippets such as protocol port numbers;
- ISOC (The Internet Society): best known as the umbrella organization for the technical development of the Internet;
- IGF (Internet Governance Forum): home for international and policy-oriented discussions.
The technical activities of the Internet community are summarized in documents known as Requests for Comments or RFCs;
"rfc-editor.org" will always have the most up-to-date information;
TCP/IP is a protocol “suite,” a set of network protocols designed to work smoothly together;
TCP/IP layering model:
"IP" stand for the "Internet Protocol", which routes data packets from one machine to another;
Version 4 uses 4-byte IP addresses;
Version 6 expands the IP address space to 16 bytes and incorporates several other lessons learned from the use of IPv4;
The development and deployment of IPv6 were to a large extent motivated by the concern that the world was running out of 4-byte IPv4 address space;
For the most part, we’ve learned to make more efficient use of the IPv4 addresses. Examples are Network Address Translation (NAT) and Classless Inter-Domain Routing (CIDR);
Data travels on a network in the form of packets;
Each packet consists of a header and a payload;
Each protocol’s finished packet becomes the payload part of the packet generated by the next protocol on the stack. This nesting is known as encapsulation.
The size limit for a packet is associated with the link-layer protocol and is called the maximum transfer unit or MTU;
IPv4 splits packets to conform to the MTU of a particular network link;
An IPv4 router that forwards the packet onto the small-MTU network further subdivides the packet in a process called fragmentation;
Senders can discover the lowest-MTU link through which a packet must pass by setting the packet’s do not fragment flag.
Consult the
ifconfigorip-linkman page to see how to set an interface’s MTU
Addressing schemes are used in combination:
- MAC (Media Access Control) addresses;
- IPv4 and IPv6 network addresses;
- Hostnames.
Host’s network interfaces usually has one link-layer MAC address;
These addresses are traditionally written as a series of 2-digit hex bytes separated by colons(e.g. 00:50:8d:9a:3b:df);
In theory, they are immutable. However, many network interfaces let you override the hardware address.
IP addresses identify network interfaces, not machines;
The mapping from IP addresses to hardware addresses is implemented at the link layer of the TCP/IP model.
One or more hostnames can be associated with an IP address so that users do not have to type numbers.
TCP and UDP extend IP addresses with a concept known as a port, to specify a particular communication channel;
Valid ports are in the range "1–65,535";
“Well known” ports are defined in
/etc/services
Binding to port numbers under 1,024 is restricted, unless program is run as root or have an appropriate Linux capability.
- Unicast: addresses that refer to a single network interface;
- Multicast: addresses that simultaneously target a group of hosts;
- Broadcast: addresses that include all hosts on the local subnet;
- Anycast: addresses that resolve to any one of a group of hosts.7
With the exception of multicast addresses, Internet addresses consist of a network portion and a host portion:
In IPv4, boundary between network and host portions is set administratively;
IPv4 addresses are written as decimal numbers, one for each byte, separated by periods (e.g. 209.85.171.147);
Use "loopback network" to refer to the current host:
127.0.0.1(localhost) in IPv4;::1in IPv6.
A “subnet mask” or “netmask” is a concept in which the 1s correspond to the desired network portion and the 0s correspond to the host portion;
Netmasks are assigned with the
iporifconfigutilities
An explicit netmask to define the boundary between the network and host parts of an address;
It is a direct extension of subnetting;
Written as "/XX", where "XX" is the number of bits in the network portion of the address.
IP addresses reserved for private use:
Border routers run a system called NAT (Network Address Translation) to allow hosts that use these private addresses to talk to the Internet;
NAT intercepts packets and rewrites their source addresses, using a valid external IP address;
An incorrect NAT configuration can let private-address-space packets escape onto the Internet;
Many NATs peform Port Address Translation: use of a single external IP address and multiplex connections for many internal clients onto the port space of that single address.
IPv6 addresses are 128 bits long and the boundary between the network portion and the host portion is fixed at /64;
The standard notation example: 2607:f8b0:000a:0806:0000:0000:0000:200e. Each 16-bit group is represented by 4 hexadecimal digits;
A couple of notational simplifications help limit the amount of typing needed;
IPv6 prefixes represent geographically clustered locations;
Address prefix adopts CIDR notation to represent its length;
Automatic host numbering is achieved by using the 48-bit MAC (hardware) address;
The "StateLess Address AutoConfiguration (SLAAC)" feature and automatic host numbering enable automatic network configuration for IPv6 interfaces;
The process of directing a packet through from source to destination;
Takes the form of rules (“routes”), such as “To reach network A, send packets through machine C.”;
Routing information is stored in a table in the kernel;
Each listed network has a mask and the matching route is the longest of them;
The main fields displayed are:
- Destination;
- Genmask (Generation mask);
- Gateway;
- Iface (Interface);
For example, the fourth route in the table above says that, to reach the network 132.236.220.64/26, packets must be sent to the gateway 132.236.212.6 through interface eth1.
Routing tables can be configured statically and/or dynamically;
A static route is one that you enter explicitly with the
ip routeorroutecommand
When a router forwards a packet to a machine on the same network from which the packet was originally received, it can notify the sender of its problem with an ICMP redirect packet;
The recipient of a redirect can adjust its routing table to fix the problem;
Under Linux, the variable
accept_redirectsin the/prochierarchy controls the acceptance of ICMP redirects.
ARP stands for Address Resolution Protocol;
If host A wants to send a packet to host B on the same Ethernet, it uses ARP or ND to discover B’s hardware address;
If B is not on the same network as A, host A uses the routing system to determine the next-hop router along the route to B and then uses ARP or ND to find that router’s hardware address;
ip neighcommand examines and manipulates the caches created by ARP and ND
The protocol lets a client “lease” a variety of network and administrative parameters from a central server, which includes (not exhaustive):
- IP addresses and netmasks;
- Gateways (default routes);
- DNS name servers;
- Syslog hosts.
When the client’s lease time is half over, it attempts to renew its lease;
Clients are supposed to keep their lease state across reboots too, although many do not;>
Server daemon is called
dhcpdand its configuration file is dhcpd.conf, usually found in/etcor/etc/dhcp3. When setting up a new server, make sure that an empty lease database file has been created, usually somewhere underneath/var
The dhcpd man page outlines the configuration process, and the dhcpd.conf man page covers the exact syntax of the config file.
IP forwarding:
- Enable a system to act as a router;
- Can sometimes be coerced into compromising security by making external packets appear to have come from inside your network.
ICMP redirects:
- It can maliciously reroute traffic and tamper with your routing tables;
- Routers should ignore and perhaps log ICMP redirect attempts.
Source routing:
- It bypasses the next-hop routing algorithm that’s normally run at each gateway;
- If someone routes a packet to make it appear to have originated within your network, it might slip through your firewall;
Broadcast pings and other directed broadcasts:
- Such packets have been used in denial-of-service attacks.
IP spoofing:
- If the software creating the packet uses a raw socket, it can fill in any source address it likes;
- Deny IP spoofing at your border router by blocking outgoing packets whose source address is not within your address space;
- In addition, use “unicast reverse path forwarding” (uRPF): discard packets that arrive on an interface different from the one on which they would be transmitted.
Host-based firewalls:
- It is not recommended to use a workstation as a firewall. Use a dedicated device instead.
Virtual private networks:
- Use the Internet as if it were a private network by establishing a series of secure, encrypted “tunnels” among their various locations;
- Some VPN systems use the IPsec protocol. Others implement security on top of TCP by using TLS.
Adding a new machine to a local network goes like this:
- Assign a unique IP address and hostname;
- Configure network interfaces and IP addresses;
- Set up a default route and perhaps fancier routing;
- Point to a DNS name server to allow access to the rest of the Internet.
If you rely on DHCP for basic provisioning, most of the configuration chores for a new machine are performed on the DHCP server.
Options: through the hosts file, LDAP, the DNS system, or perhaps some combination of those options.
The /etc/hosts file is the oldest and simplest way to map names to IP addresses.
- Best reserved for mappings that are needed at boot time.
- Typical example:
The hostname command assigns a hostname to a machine.
A network interface is a piece of hardware that can potentially be connected to a network.
Every system has at least two network interfaces: a virtual loopback interface and at least one real network card or port;
you can see all the network interfaces with ip link show;
IP configuration is largely a matter of setting an IP address for the interface;
You can assign more than one IP address to an interface. Its purpose is now superseded by the HTTP Host header.
Routing is performed at the IP layer.
Each ip route or route command adds or removes one route
These commands below add a route to the 192.168.45.128/25 network through the gateway router "zulu-gw.atrust.net":
You can examine a machine’s routing table with ip route show or netstat -nr (flag -n avoids DNS lookups);
Use ip route del or route del to remove entries from the routing table;
Run ip route flush or route flush to initialize the routing table and start over;
/etc/networks maps names to network numbers.
To configure a machine as a DNS client, you need only set up the /etc/resolv.conf file;
It lists the DNS domains that should be searched to resolve names that are incomplete:
DHCP client stuffs these addresses into the resolv.conf file for you.
A service that’s run continuously, along with a system tray app for configuring individual network interfaces;
It’s usually made available as a sort of “parallel universe” of network configuration
It is primarily of use on laptops.
From iproute2 package, which also provides ss, for socket's state inspection;
ip takes a second argument for you to specify what kind of object you want to configure or examine:
ip linkfor configuring network interfaces;ip addressto bind network addresses to interfaces;ip routefor changing or printing the routing table.
The hostname is set in /etc/hostname. The name in this file should be fully qualified;
The IP address, netmask, and default gateway are set in /etc/network/interfaces:
- The
ifupandifdowncommands read this file and bring the interfaces up or down; - Main clauses are: iface, auto.
Network configuration revolves around /etc/sysconfig directory.
File network for interface-independent network settings (hostname and default gateway);
Interface-specific data is stored in network-scripts/ifcfg-$IFNAME;
After changing configuration in /etc/sysconfig, run ifdown ifname followed by ifup ifname for the appropriate interface;
sysctl restart network to reset networking;
Lines in network-scripts/route-$IFNAME are passed as arguments to ip route.
The ethtool command queries and sets a network interface’s media-specific parameters such as link speed and duplex;
Useful options:
-rforces the parameters of the link to be renegotiated immediately;-kto show what protocol-related tasks are assigned to the network interface;-Kto set configuration showed by-k;
In Debian and Ubuntu, you can run ethtool commands directly from /etc/network/interfaces;
On Red Hat and CentOS systems, you can include an ETHTOOL_OPTS= line in /etc/sysconfig/network-scripts files.
Tunable networking variables are under /proc/sys/net/ipv4 and /proc/sys/net/ipv6;
conf and neigh sobdirectories contain parameters that are set per interface:
conf/allchanges parameters for all interfaces, but each variable has its own rules changes viaall;conf/defaultpropagates new values to any interfaces that are later configured;neighsubdirectories is for ARP and IPv6 neighbor discovery configurations;
Use the sysctl command to modify parameters;
To change parameters permanently, add the appropriate variables to /etc/sysctl.conf.
Default security-related network behaviors in Linux:
Ask yourself questions like these as you work up or down the stack:
- Do you have physical connectivity and a link light?
- Is your interface configured properly?
- Do your ARP tables show other hosts?
- Is there a firewall on your local machine?
- Is there a firewall anywhere between you and the destination?
- If firewalls are involved, do they pass ICMP ping packets and responses?
- Can you ping the localhost address (127.0.0.1)?
- Can you ping other local hosts by IP address?
- Is DNS working properly?
- Can you ping other local hosts by hostname?
- Can you ping hosts on another network?
- Do high-level services such as web and SSH servers work?
- Did you really check the firewalls?
Send an ICMP ECHO_REQUEST packet to a target host and wait to see if the host answers back:
- Syntax:
ping $HOSTNAME/$IP
Routing tables, physical networks, and gateways are all involved in processing a ping;
Use ping’s -n option to prevent ping from attempting to do reverse lookups on IP addresses, when DNS is not working;
Each line has a ICMP sequence number of each response packet. Discontinuities in the sequence indicate dropped packets;
The ping program can send echo request packets of any size with option -s. Using a packet larger than the MTU can force fragmentation;
ping doesn't distinguish the failure of a network from the failure of a server.
traceroute uncovers the sequence of gateways through which an IP packet travels to reach its destination:
- Syntax:
traceroute $HOSTNAME/$IP.
It works by setting the time-to-live field (TTL, actually “hop count to live”) of an outbound packet to a low number. As packets arrive at a gateway, their TTL is decreased.
Example from a host in Switzerland to caida.org at the San Diego Supercomputer Center:
At hop 8, we see a star in place of one of the round trip times. This notation means that no response (error packet) was received in response to the probe;
ICMP-blocking firewalls are a problem for traceroute;
If you see stars in all the time fields for a given gateway, no “time exceeded” messages came back from that machine;
traceroute needs root privileges to operate.
Use -n option to avoid DNS resolutions.
They listen to network traffic and record or print packets that meet criteria of your choice;
The underlying network hardware must allow access to every packet;
Sniffers read data from a raw network device, so they must run as root;.
Use flag -i to choose the interface and -n to avoid name lookups;
Store information with -w flag and retrieve them with -r flag. Use -s option with a value on the order of 1560 to capture whole packet;
The first packet shows bull sending a DNS lookup request about atrust.com to nubark. The response is the IP address of the machine associated with that name, which is 66.77.122.161.
It includes a GUI, wireshark, and command-line tool, tshark;
Both Wireshark and tcpdump use an underlying library called libpcap for filters;
SmokePing:
- It sends several ping packets to a target host at regular intervals;
- Useful for reachability verification.
iPerf:
- Tool to open a TCP/UDP connection between two servers, pass data between them, and record how long the process took;
- One machine executes a server, while the other a client.
Cacti:
- Visualization tool to store monitoring data in the form of zero-maintenance, statically sized databases;
- RRDTool as backend.
It is not recommended to use a general-purpose system as a sole solution for firewalling. It can lead to no end of inconsistent behavior and mysterious network problem;
iptables applies ordered “chains” of rules to network packets. Sets of chains make up “tables” and are used for handling specific kinds of traffic.
ufw is a frontend for iptables;
the default iptables table is named “filter”, which contains the default chains: FORWARD, INPUT, and OUTPUT;
Each packet handled by the kernel is passed through exactly one chain;
You can define a custom configuration to support more complex accounting or routing scenarios;
Another important table is “nat”, for NAT;
Rule targets:
- Each rule that makes up a chain has a “target” clause;
- The targets available are ACCEPT, DROP, REJECT, LOG, ULOG, REDIRECT, RETURN, MIRROR, and QUEUE.
Setup:
- IP forwarding must be enabled;
- Various iptables modules must have been loaded into the kernel;
A Linux firewall is usually implemented as a series of iptables commands contained in an "rc" startup script, which takes one of following forms:
iptables -F chain-name
iptables -P chain-name target
iptables -A chain-name -i interface -j target
In the cloud, you get to define the networking environment in which your virtual servers live.
The central features of VPC include:
- Subnets to segment the VPC address space into smaller subnetworks;
- Routing tables that determine where to send traffic;
- Security groups that act as firewalls for EC2 instances;
- Network Access Control Lists (NACLs) to isolate subnets from each other.
VPCs are regionais and divided into zonal subnets, which can be public or private;
Every VPC subnet has an associated VPC routing table;
Public subnets must have a route to an Internet Gateway, managed by AWS;
For outbound access, private subnets must hop through a NAT gateway on a public subnet;
AWS’s implementation of IPv6 does not have NAT, and all instances set up for IPv6 receive “public” (i.e., routable) addresses.