outline - ensimag ·...

Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS

Network Administration

Grégory Mounié

SCCI - Master-2

<2013-09-17 mar.>

1 / 75


Outline

Introduction

IP addresses

Toward IPv6

Host name

Routing

Services

Integration between different OS

2 / 75


Introduction

IP addresses

Toward IPv6

Host name

Routing

Services

Integration between different OS

3 / 75


Challenge

For people with sufficient background:easy Chat on google talk (or facebook) with XMPP on

wifi-campus/eduroam of the campushard Surf on ipv6.google.com on wifi-campus/eduroam of

the campus

3 / 75


Networks

Definition (network)group of interconnected machines

Definition (Internet)

• network of networks• based on TCP (Transmission Control Protocol) and IP(Internet Protocol) protocols

4 / 75


Networks of networks

Figure : Interconnection of networks

5 / 75


TCP/IP

Internet Protocol

• identifies network interfaces• handles routing• fragmentation of data into packets

Transmission Control Protocol

• transmissions in connected mode• error corrections, packets arriving in order

6 / 75


IP address

• unique number identifying a Network interface• eg. IPv6: 2a00:1450:4009:804::1007;

• IPv4: 74.125.230.130• eg. IPv6: fe80::2677:3ff:fe2e:22c0/64;

• IPv4: 192.168.0.1• eg. IPv6: ::1;

• IPv4: 127.0.0.1

Two parts in a single number

• fixed size number• parts of variable length• beginning part : network ID• ending part : host ID

7 / 75


IP address notation

IPv6 16 bytes, 128 bits, hexadecimal notation• aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh• :: replace a single 0 sequence

IPv4 4 bytes, 32 bits, decimal notation• aaa.bbb.ccc.ddd

8 / 75


Network IPv4 classes

3 classes of networks : the problem of the 3 bears

class A • few networks• lots of hosts• NNN.mmm.mmm.mmm

class B • not enough of middle size networks• NNN.NNN.mmm.mmm

class C • lots of networks• few hosts• NNN.NNN.NNN.mmm

9 / 75


Network mask• flexible network/machine ID size

Which bits are used for network ID and which bits are used forhost ID ?

• notation: =ip address=/X ; the X first bits are the networkaddress

• IPv4 address mask denoted 255.255.255.0(0b1111111111111111111111100000000)

Various masks

• fe80::2677:3ff:fe2e:22c0/64 : 64 bits network ID• 255.255.255.0 : mask for IPv4 class C network• 255.0.0.0 : mask for IPv4 class A network• 255.128.0.0 : IPv4 mask: 9 bits for network, 23 bits for hosts

10 / 75


Special IPv6 addresses

• 0:0:0:0:0:0:0:0, :: : host not specified• FE80::/10 (truly /64) : link-local address (autoconf)• FEC0::/10 : site-local address, non routed on Internet• FF00::/8 : address multicast• ::1/128 : loopback• ::FFFF:(IPv4 address) : double stack for IPv4 mapping• ::(IPv4 address) : IPv4 compatibility address

11 / 75


Special IPv4 addresses

• 0.0.0.0 : this host, or default• 0.host : un host of the local network• 255.255.255.255 : local broadcast• PrefixNet.[1]+ : local broadcast• PrefixNet.PrefixSubnet.[1]+ : idem• 127.x.x.x : loopback• 10/8, 172.16/12, 192.168/16 : private network• 169.254.x.y : zeroconf (bonjour) autoconf (for local usageonly)

12 / 75


Basic configuration

• ifconfig command• ifconfig -a : list all available interfaces• ip command• ip link; ip addr

ifconfig eth0 add 2a00:1450:4007:803::1017/64ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up

13 / 75


From IPv4 to IPv6

• IPv4 name adress space is too small.• Transition path was planned with the IPv6 standard (RFC2460, 1998):

• Dual stack public IP address during the transition

Planned transition failure

• Nobody has done the transition.• All plan used double stack strategies.• No public IPv4 address anymore (IANA: 3 fev 2011 !) !

14 / 75


IPv4 is a zombieIPv4 was dead long time ago !

• In 1993, IPv4 become classless : remaining C networks weregrouped in (21 bits, 2048 hosts) networks and distributedgeographically :

• Europe : 194-195.x.x.x• America : 198-199.x.x.x• Asia : 202-203.x.x.x

Large usage of private networks (NAT)

• Major architecture change.• One-way Internet connection for personal use: 1 public IPaddress per your DSL box (your CPE: customer premisesequipment)

• New services and protocols become undeployable !• Mobile phone routing (how to route efficiently multiple privatenetwork ?)

15 / 75


IPv4 is a zombie II

Early adopters have a lot of remaining addresses

• people with competences have plenty of IPv4 adresses:• eg: recent wifi-campus and eduroam give one IPv4 address

per connected student

• people without enough IPv4 address have not the competenceto manage IPv6 network

16 / 75


IPv4 is a zombi III

NAT Zoo

• NAT44 : your home, your phone network• NAT 444 : asia and africa : not a single public IP anymore !• NAT 64 : early adopters• NAT 66 : NAT lovers• NAT 464 ou 646 ??

17 / 75


Is IPv6 ready ?Big software are ready. (Chicken and eggs problem for smallsoftware)

http://www.google.com/ipv6/statistics.html

• 2% of google access (France 5%, Germany 4.5 %, Romania7.5%)

http://6lab.cisco.com/stats/

• France: 48% of prefix; 71.4% Transit AS; 50% Content; 5%users;

Grenoble academic science

• IPv6 address space mapping of Grenoble universities andlaboratories exists since 2001

• working at the main routers level• not deployed yet to end-user save exception 18 / 75


IPv6 Transition

5 main strategies:1. full dual stack: not for everybody2. tunnel: IPv6 over IPv4 to connect IPv6 islands

• trouble with MTU3. 6rd : CPE (your box) encapsulate IPv6 to the boundaries of

the FAI• Free

4. DS-Lite: the opposite of 6rd: encapsulate IPv4 packets in aIPv6 FAI network to the boundaries of the FAI.

5. NAT64: to connect to the remaining Internet from IPv6 onlycomputer

• very useful without IPv4 address (Mobile carrier soon ?)

19 / 75

http://www.google.com/ipv6/statistics.html

http://6lab.cisco.com/stats/


Host names

• needed for human readable names• IP address may change ⇒ name does not change• association between names and addresses• several names can be associated to the same address• several address can be associated to the same name

Host name versus authenticationA host name and its associated IP, are not sufficient asauthentication !

20 / 75


URL

• Uniform Resource Locator

21 / 75


Domain name

Domain Name System (DNS)

• hierarchy• subdomains : en.wikipedia.org• recursive address resolution

• heavy use of caching• slow propagation of changes (up to several days)• different addresses may be seen for a name if requests originate

from different places

Host name versus authenticationA host name and its associated IP, are not sufficient asauthentication !

22 / 75


Address resolving

different mechanisms

• configuration in /etc/nsswitch.conf• DNS servers IP : /etc/resolv.conf• /etc/hosts : list of known hosts• may be the cause of process stall

23 / 75


DNSSEC

• No security in the original design ⇒ forged address byman-in-the-middle attack

• Digitally sign the record with public key cryptography and achain of trust (subdomain key is recursively authenticated byits domain, the root are trusted)

24 / 75


Private Network is not a protection• private IP ⇒ no direct connection from Internet

• still indirect connection are possible

Browser + DNS attack

1. Browsers download web pages including javascript code2. Javascript code can connect only with the server3. the server IP is given by the DNS of the server4. the DNS of the server may choose a small timeout for the

caching of the resolution5. the DNS may answer a different address at the second

resolution6. the DNS answer may include a private IP adress7. Javascript may connect to any local computer with private IP

(eg. your DSL box and its configuration)

25 / 75


Routing

• routing handled by the IP protocol• routes are found from neighbors to neighbors• possibility of several routes from source to target• routes could be asymmetric• bugs: cycle, sink, half-broken routes, . . .

• mechanisms to destroy packets (TTL)• mechanisms to inform sender of the troubles (ICMP)

26 / 75


Example of bad routing (real case I)

• Not enough ethernet plug in an office ⇒ add a 10 eurosswitch in the office

• Wait some time ⇒ the switch is connected with two of itsports to two plugs

• enjoy your slow network due to packet loop of every broadcastpacket

Cables are the problemCables are always the problem.

27 / 75


Example of bad routing (real case II)• Security is important, thus ICMP is filtered.• Somebody needs of a large bandwidth between two cities ⇒multiway connection with automatic load-balancing

• somebody check the performance: it is working !• One of the way become broken (somebody change routingsomewhere in the path, or unplug a cable)

• High loss rate of TCP packets ⇒ slow but working TCPconnections.

• End point observation of the traffic is quite normal (no ICMPerror packet reported)

• Wait months, or years, before somebody really check again theperformance and spot the problem.

ICMP filteringNetwork are complex ! ICMP packets are important ! FilteringICMP increase the difficulty to debug any problem.

28 / 75


IP headers

29 / 75


IPv4 headers

30 / 75


Routing tables

• on each host : a table indicating to what network interface apacket should be routed

• many possible destinations ⇒ table contains generally networkaddresses rather than hosts addresses

• table displayed and configured by the ip or the routecommands

31 / 75


ip=/=route

• man ip• ip route add 2a00:1450:4007:803::/64 dev eth0• man route : good for common tasks (examples)• route : displays routing table• route add -net 2a00:1450:4007:803::/64 dev eth0• route add -net 192.56.76.0 netmask 255.255.255.0dev eth0

• route add default gw univ-gw

32 / 75


Traceroute6~> $ traceroute6 ucla.edutraceroute to ucla.edu (2607:f010:3fe:101:0:ff:fe01:32), 30 hops max, 80 byte packets1 2a01:e35:2433:1510::1 (2a01:e35:2433:1510::1) 3.444 ms 3.396 ms 3.377 ms2 * * *3 th2-crs16-1.intf.routers.proxad.net (2a01:e00:2:d::1) 47.402 ms 47.418 ms 47.402 ms4 bzn-crs16-1-be2000.intf.routers.proxad.net (2a01:e00:1:6::1) 47.415 ms 47.398 ms 47.381 ms5 londres-6k-1-po101.intf.routers.proxad.net (2a01:e00:1:a::2) 68.444 ms 70.827 ms *6 2a01:5d8:e000:0:401:402:0:2 (2a01:5d8:e000:0:401:402:0:2) 65.581 ms 48.089 ms *7 20gigabitethernet1-3.core1.ams1.ipv6.he.net (2001:7f8:1::a500:6939:1) 53.755 ms 53.701 ms 53.684 ms8 10gigabitethernet1-4.core1.lon1.he.net (2001:470:0:3f::1) 53.668 ms 53.653 ms 64.754 ms9 10gigabitethernet7-4.core1.nyc4.he.net (2001:470:0:128::1) 127.037 ms 116.096 ms 113.389 ms

10 10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10e::1) 199.101 ms 192.953 ms 187.097 ms11 lax-hpr--he-peer.cenic.net (2001:468:e00:801::1) 187.047 ms * *12 dc-lax-core2--lax-px1-10ge-2.cenic.net (2607:f380::118:9a42:e981) 191.549 ms 191.456 ms 197.117 ms13 2607:f380::118:9a42:e871 (2607:f380::118:9a42:e871) 190.425 ms * *14 * * *15 2607:f010:bff:f012:0:ff:fe00:1 (2607:f010:bff:f012:0:ff:fe00:1) 235.370 ms 224.552 ms 193.341 ms16 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 188.900 ms 192.547 ms 192.536 ms17 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 3194.885 ms !H * *

33 / 75


BGP

• Border Gateway Protocol (RFC 1771)• communication of routing tables between ISP• autonomous systems• dampening• openbsd implementation : openbgpd

34 / 75


ARP protocol

• IP : high level protocol• network card : mainly ethernet protocol• correspondence between MAC addresses and IP addresses:

• Very usefull ⇒ Address Resolution Protocol, part of IPv6(ARPv6)

35 / 75


ARP table

# ip neighfe80::207:cbff:fec3:6fd dev wlan0 lladdr 00:07:cb:c3:06:fd router STALE192.168.1.254 dev wlan0 lladdr 00:07:cb:c3:06:fd STALE# arpAddress HWtype HWaddress Flags Mask Iface10.6.8.254 ether 00:07:EC:CD:18:CA C eth2

36 / 75


External connections

• use of a gateway• a gateway binds two different networks

37 / 75


Two network cards

• eth0 and eth1 in two different networks• host acting as a gateway• other hosts modify their routing tables• activate forwarding• echo 1 > /proc/sys/net/ipv4/ip_forward

38 / 75


Masquerading/NAT

• we lie on origin of all outgoing packets• packets will be tagged as coming from gateway• goal : connecting a subnet by using only 1 IP address• gateway in charge of correspondences

• note: the connected subnet should be a local network(192.168.X.X)

• similar usage: 4-to-6, 6-to-4, 4-to-4-to-4, 6-to-6-to-6

39 / 75


Masquerading

• Masquerading-Simple-HOWTO• iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE• iptables will be presented in details in following courses

40 / 75


Useful commands

• netstat : lists active sockets• lsof : lists processes using sockets• telnet : sending data interactively• netcat : like cat for network

41 / 75


Several ways to select the IPv6 address

1. static address (by hand or configuration file)2. Router Advertisement and automatic selection of the machine

ID (SLAAC)3. DHCPv6

42 / 75


Several ways to select the IPv4 address

1. static address (by hand or configuration file)2. DHCP3. Zeroconf/autoconf (IPv6 link-local for the poor IPv4 guy)

Zeroconf/autoconf

1. choose randomly a IP in 169.254.x.y range2. Ask using ARP (broadcast) if somebody use it3. If no answer comes, use it and defend it against following ARP

request.

43 / 75


Services

Servers are executed as daemons

Examples of services

• print server• web server• ftp server• game servers• . . .

44 / 75


Port number

• different services on one host• how to differentiate them ?

• port number• one service = one port + one protocol• standard numbers (web=80, . . . )• entry points on a host

Port number are not part of IPWorking on port number ⇒ understand the transport protocol

45 / 75


TCP communications

Client side 1. create a socket2. connect to remote host on given port3. connection accepted or refused4. communications following protocol

Server side 1. create a socket2. bind socket to given port3. accept or refuse incoming communications

46 / 75


Common services

Services are commonly using well-known port numbers(/etc/services)

• ftp : 21• ssh : 22• telnet : 23• www : 80• pop3 : 110• imaps : 993• . . .

47 / 75


Others protocols than TCP

• UDP : IP + port number• SCTP : TCP with messages, multiple streams, multi-homing,4 ways handshake

• DCCP : UDP with TCP-like connection for congestion control(no resend of lost packet)

48 / 75


DHCP server

• centralize network configuration• configures IP addresses, routing tables, DNS servers• server : dhcpd• client : dhchcd, pump, dh_client

• communication by broadcast

Fully integrated in IPv6 (DHCPv6)

49 / 75


Web server

• usually apache (51%; Netcraft Survey)• many other servers (30+; 11%)• IIS (20%), nginx (15%), caudium, yaws, araneida, boa• installation from packages• configuration files in /etc/apache2• many different modules

50 / 75


Mail server

• sending :• routing from servers to servers

• smtp protocol• servers : exim (46%; http://securityspace.com 2012

survey), sendmail (25%), postfix (11%), exchange (9%)

• receiving :

• receiving mail in the spool• /var/mail/wagnerf• through network : POP3, IMAP

2 actors

• MTA (mail server) : send, exchange, store email• MUA (thunderbird, webmail) : allow a user to read his email.

51 / 75

http://securityspace.com


News server

Old school forum/data exchange.

• messages exchanged in newsgroups• port 119• NNTP protocol : transfer between servers replicatingnewsgroups

• NNRP protocol : to read news• servers : INN, Dnews, . . .

52 / 75


DNS server

• name resolver• symbolic name ⇒ IP address• port 53 udp or tcp• server : Bind

53 / 75


Distant connections

• ssh (http://www.openssh.org)• telnet• rlogin

54 / 75


Proxy

• proxy : intermediate element between client and server• handle the flow of data• goals :

• filter : forbid or remove• cache : accelerate• anonymity : hide end users• authenticate : simple access to protected resources

55 / 75

http://www.openssh.org


Proxy server

56 / 75


Some web proxies

• squid• caching proxy

• junkbuster• removes advertising from web pages

57 / 75


TOR

58 / 75


Heterogeneous networks

Lots of different OS in the same network:

• Linux (300 versions) + freebsd +macOS X (2-3 versions) + VariousUnixes + Windows NT + WindowsXP + Windows 2000 Server +Windows Vista + Windows 7 +Windows 8

• . . .

59 / 75


Goals

• network ⇒ sharing of resources• printers• files• zip drive, backup services• . . .

• sharing access to internet• gateway + masquerading

60 / 75


Structure

61 / 75


IP network

• easy to put in place• standard protocol• available on all systems• immediate interconnection

• resources sharing ?• unix standards• efficient• not (easily) compatible with windows

62 / 75


File sharing

• NFS (Network File Sharing)• server exports file systems• client mounts remote file systems• completely transparent• kernel or user-space driver• simple configuration compare to other solution

(NFSv4+Kerberos vs AFS ?)

63 / 75


Printers• cups, one daemon per host, implementing a three stepssystems:1. scheduler/spooler for collecting and routing documents2. filter for converting the document into the language of the

printer3. backends (ipp, http, ftp, usb)

• /etc/cups/cupsd.conf• all daemons are communicating• Web interface (http://localhost:631)

In case of problem, add a level of indirection

• To avoid to set up the list of printer on all computer, thedaemons exchange theirs known list of printers.

• To avoid to set up the printer driver on all computer, translatethe document format to the printer language if different.

64 / 75


Other devices

• often NFS is sufficient (e.g. for ZIP drive)• special services for some devices:

• scanner : sane• sound : nas, . . .• applications : X

• but how to authenticate users ?

65 / 75


Yellow pages

• NIS: Network Information Service• centralize network configuration

table of administrative informations on one server

• user informations (uid, gid)• domain names• host names in one domain• NFS

66 / 75


NIS

• clients broadcast requests• one map for each service• ypcat map to see one

• only one manipulation to add a user on the whole network (ordisk, . . . )

• problems• important network use• may not scale very well ⇒ NIS caches

67 / 75

http://localhost:631


LDAP

• LDAP is similar to NIS• TLS connection• storing X.500 tree of attributes/values• ldap/ldaps port 389/636• eg. dn:uid=toto,ou=people,dc=example,dc=org

68 / 75


Standards

Several organizations develop standards

• ISOC (internet society)• IETF (internet engineering task force)• IAB (internet architecture board)• RIPE (Réseaux IP Européens)

69 / 75


Standards development

• at first : RFC (Request For Comments)• proposals for new standards• informative notes

• in the old times. . .• if RFC was OK ⇒ implemented ⇒ standard• decision from developers and community

70 / 75


Standards development

modification in 1993/1994:

• development of the web• internet gains in users• development from trade• netscape and microsoft add extensions to html

• format wars (javascript/active X)• no respect for standard procedure ⇒ loss of compatibilities for

the internet

HTML5HTML5 is, hopefully, more "old school" from this point of view(save <video>)

71 / 75


netbios / netbui

• proprietary protocol• development with NT (beginning 90)• developed by microsoft, no RFC• allows

• sharing of files• sharing of printers• a little remote administration

• initially undocumented

72 / 75


SAMBA

• implementation of netbui for unix• client• server

• set of tools• administration of windows domains• mount windows disks• mount unix disks under windows• user accounts handling

73 / 75


Configuration

• often installed by default• /etc/samba/smb.conf

• network configuration [global]• disks :• accounts (homes) [homes]• public disks (applications) [public]• printers [printers]

74 / 75


Samba programs

smbclient • ftp-like• access to all windows resources

smbmount • mount windows directories• careful with rights !

75 / 75

outline - ensimag ·...

Documents