Martin Černý, Jan Fürman (Martin.Cerny@cesnet.cz, Jan.Furman@cesnet.cz) Department of Computer Systems Faculty of Information Technologies Czech technical university in Prague Martin Černý, Jan Fürman, 2010-2011 Evropský sociální fond Praha & EU: Investujeme do vaší budoucnosti 1
Lecture content: 1) Virtualization basics 2) Virtual LAN 3) MPLS 4) Private networks and NAT 5) IP tunnels 6) Coexistence of IPv6 with IPv4 2
Virtualization basics One physical infrastructure several independent logical networks we have powerful HW, but we need several less powerful separate networks Historical evolve ability of switch-ports physical separation at first, and than trunks carrying several VLANs over one physical link 3
Virtual LAN Physical ports separation into several VLANs Same VLANs on different switches needs individual connections 4
VLAN standard IEEE 802.1Q Saving of physical port connections There are also some others (proprietary) VLAN technologies like CISCO ISL 5
6
802.1Q frame structure Source: Wikipedia.org TPID (Tag Protocol Identifier) 16 bits... set to 0x8100, that identifies type of the frame us 802.1Q PCP (Priority Code Point) 3 bits... used by QoS CFI (Canonical Format Indicator) 1 bit... determines the order (big/little endian) of bytes in MAC addresses (ethernet 0, token-ring 1) VID (VLAN identifier) 12 bits... Numerical id of VLAN, the frame belongs to 7
www.wireshark.org 8
802.1Q - features Tagged frame has max. size of 1522 bytes baby giant (basic untagged ethernet frame has only 1518) Could be a problem with some old linux drivers and during transmits over trunks across switches with no support of 802.1Q Possibility of definition of up to 4094 VLANs (VLAN IDs 0 and 4095 are reserved) Native VLAN is carried in trunks untagged QinQ recursive tagging, useful mainly for ISP etc. 9
Configuration example of 802.1Q - CISCO Router: interface FastEthernet0/0 no ip address duplex auto speed auto! interface FastEthernet0/0.101 encapsulation dot1q 101 ip address 192.168.1.2 255.255.255.0 Switch: interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport trunk allowed vlan 1,101,102,1002-1005 switchport mode trunk! interface FastEthernet0/10 switchport access vlan 101 switchport mode access 10
Configuration example of 802.1Q - Linux #vconfig add eth0 101 #ifconfig eth0.101 192.168.0.1 netmask 255.255.255.0 Virtual interface is created (you can use it like any other physical interface) Linux kernel must have support of 802.1Q (or you can use loadable module 8021q) 11
MPLS Multi Protocol Label Switching (RFC 3031) Used mainly by ISPs for its data transfer speed Basic idea: IP routing (hungry of system resources) is made only once during entrance to MPLS network, after that packet is routed in the network using a simple tag (label), that is much quick and effective Even in MPLS network there must be an IP routing protocol running, that is used for IP prefix exchange among PE (Provider Edge) routers 12
MPLS Source: enskay.com CE (Customer Edge)... router at client side, that connects client to MPLS network PE (Provider Edge)... border router of MPLS network used for packet labeling P (Provider)... core MPLS router (route packets according to labels) 13
MPLS Source: cisco.com 14
LDP Label Distribution Protocol (RFC 5036) Used to build MPLS forwarding tables and to create LSP (Label Switch Path) - path through MPLS network In case of link failure route packets using backup path (quicker convergence comparing to common IP routing protocols) Is dependent on IP routing information from IGP 15
Placement of MPLS header (tag) Source: polaris.umuc.edu MPLS is usually being called ISO OSI layer 2.5 MPLS headers could be more than one (they forms chain, example use are MPLS VLANs) 16
MPLS tag structure Source: hep.ucl.ac.uk Exp. bits could carry QoS information S bit = 1... mean that this label is the last one and is followed by L3 header TTL... safety precaution against packet cycling 17
MPLS forwarding table Source: waset.org Show mpls forwarding-table... shows LFIB (Label Forwarding Information Base) on Cisco device 18
MPLS services - VPN Zdroj: ixiacom.com L3 VPN routing of IP packets from defined source to defined destination over MPLS network There is no encryption, just traffic separation from other users 19
MPLS services TE (Traffic Engineering) tunnels They allow to establish tunnels with defined attributes (throughput, latency) over MPLS network RSVP (Resource Reservation Protocol) is used to establish and control MPLS path with requested attributes TE tunnels are one-way only 20
MPLS services VPLS (Virtual Private LAN Service) Interconnection of ethernet segments over MPLS at layer 2 of ISO OSI model (pseudo-wire) RFC 4761, 4762 MPLS backbone is seen like a switch from the connected ethernet segments point of view 2 MPLS tags forwarding and membership of given VPLS network Generally higher reliability compared to WAN connection (MPLS core has usually redundant topology) 21
MPLS features MPLS network is able to carry different kinds of traffic (IPv4, IPv6, ATM, SONET, FR,...) MPLS usually carry just IP, or ethernet (EoMPLS) MPLS can be implemented over many different common L2 technologies (ethernet, E1, ATM, DSL, FR,...) 22
Private networks and NAT Internet is growing unstoppably (there are more than 300000 IP prefixes in global routing tables) IPv4 addresses are going to be depleted in several years (now they are all allocated to RIRs) Solution: IPv6 More efficient use of actual IP address range (return of ip addresses that are not used, ip address deals,...) Low consumption of public ip addresses (NAT) 23
Private IP networks Defined in RFC 1918 These addresses are not Internet routable (core routers should drop any packets with destination from these addresses ranges) 10.0.0.0/8 (10.0.0.0-10.255.255.255) 172.16.0.0/12 (172.16.0.0-172.31.255.255) 192.168.0.0/16 (192.168.0.0 192.168.255.255) Only for local ip addressing of inside network behind NAT (no collision with global IP addresses) 24
NAT Network Address Translation Generally means address translation M:N Translation 1:N is usually called masquerading If M!=N, then is necessary to alter (translate) also UDP/TCP port numbers (NAPT, PAT) Enhanced security (in cooperation with FW) inside computers are not directly accessible from global Internet Opposite of basic concept of the Internet, where mutual direct accessibility of all devices should be standard 25
NAT translation table Zdroj: cisco.com 26
NAT example configuration - CISCO interface ethernet 0 ip address 10.10.10.1 255.255.255.0 ip nat inside interface ethernet 1 ip address 10.10.20.1 255.255.255.0 ip nat inside interface serial 0 ip address 172.16.10.64 255.255.255.0 ip nat outside Source: cisco.com ip nat inside source list 1 interface serial0 overload access-list 1 permit 10.10.10.0 0.0.0.255 access-list 1 permit 10.10.20.0 0.0.0.255 Useful troubleshooting commands: show ip nat translations show ip nat statistic debug ip nat 27
NAT example configuration - Linux #echo 1 > /proc/sys/net/ipv4/ip_forward #/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED, ESTABLISHED -j ACCEPT #/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT eth1... interface of the internal network eth0... interface of the external network (Internet) 28
Interconnection of private networks over global Internet (IP tunnels) 29
Tunneling protocols example GRE tunnel IPSec tunnel Other tunnels using transport over UDP/TCP/ICMP 30
GRE (Generic Routing Encapsulation) protocol (RFC 1702) Source: pygor.org point-to-point tunnel IP protocol type 47 GRE tunnel is able to carry various kinds of packets (IPv4, IPv6, IPX,...) 31
GRE protocol packet structure C... checksum present, R... routing present, K... key present, S... sequence number present, s... strict source route Recur... recursion control Flags... reserved, must be set to 0 Version... version of GRE protocol 0 Protocol type... type of the payload like similar field in ethernet frames Offset... header size when using source routing not used Key... data flow identification does not have any security meaning!!! Sequence number... can be used for packet reordering Routing... source route records not used 32
Example configuration of GRE tunnel - CISCO Router A: interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode gre ip Router B: interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source 192.168.2.1 tunnel destination 192.168.1.1 tunnel mode gre ip 33
Example configuration of GRE tunnel - Linux # modprobe ip_gre # ip tunnel add gretun mode gre local 192.168.1.1 remote 192.168.2.1 ttl 64 dev eth0 # ip address add dev gretun 10.0.0.1 peer 10.0.0.2/32 # ip link set dev gretun up # ip route add 10.10.10.0/24 via 10.0.0.2 34
IPSec Standardized VPN protocol (RFC 4301, 4309) Enables authentication of the source and destination (AH) and encryption of the transmitted data (ESP) can be used individually, header chaining,... Security framework possibility to use various encryption and hash algorithms Mutual authentication possibility using shared key or X.509 certificate Tunnel mode or transport mode 35
Source: unixwiz.net 36
AH (Authentication Header) Next hdr... next header type AH len... AH header length Reserved... set to 0 Source: unixwiz.net Secure data integrity and source authentication SPI... number identifying SA (security association) Sequence number... incremental order of sequence numbers security against packet spoofing Auth. Data... cryptographic material for authentication purposes variable length 37
ESP (Encapsulating Security Payload) Zdroj: unixwiz.net Does not have influence to packet header (opposite to AH) but in tunnel mode is encrypted and thus protected whole packet including header SPI... number identifying SA (security association) Sequence number... increasing order of sequence numbers protection against packet spoofing Encrypted payload... encrypted data (original packet) including necessary cryptographic material Padding, pad len... padding, length of padding Next header... header type of encrypted packet ESP secures data integrity, authentication and encryption Authentication data... cryptographic material for authentications purposes 38
SA (Security Association) a IKE (Internet Key Exchange) SA is group of attributes that clearly identifies IPSec data flow (IP addresses, encryption and hash algorithms, SPI and others) SA is one-way - in order to secure encrypted communication between two parties (nodes) it is necessary to establish two SA (one for each direction) Protocol IKE is used to establish SA it is used to exchange and setup attributes of encrypted connection (each node usually supports more than one encryption mechanism and the choice of the best one supported by both parties is in charge of IKE) IKE communicates using UDP port 500 (usually it is an userspace daemon) 39
Source: unixwiz.net 40
Source: unixwiz.net 41
Source: unixwiz.net 42
Source: unixwiz.net 43
Example IPSec configuration - CISCO crypto isakmp policy 1 authentication pre-share crypto isakmp key XXXXX address 10.201.0.2! crypto ipsec transform-set IPSec_transform ah-sha-hmac esp-aes! crypto map CMap 10 ipsec-isakmp set peer 10.201.0.2 set transform-set IPSec_transform match address 101! interface Ethernet0/0 ip address 10.201.0.1 255.255.255.0 crypto map CMap! access-list 101 permit ip host 10.201.0.1 host 10.201.0.2 44
Other tunnels using transport over UDP/TCP/ICMP Usually proprietary, non-standardized solutions Highly flexible, broadly configurable Mainly used for tunneling traffic through firewall 45
Examples of other tunnel systems VTUN (http://vtun.sourceforge.net/) ICMPTX (http://thomer.com/icmptx/) Transport over UDP or TCP Data encryption and compression possibility Allows EoIP (EoUDP a EoTCP) tunnel establishment Transport over ICMP TINC (http://www.tinc-vpn.org/) Transport over UDP 46
Coexistence of IPv6 with IPv4 Slow deployment of IPv6 global operators does not support it very much There appear separated IPv6 islands, that needs interconnection over global IPv4 Internet Source: wiki.nil.com 47
IPv6 over IPv4 tunneling protocols Manually configurable ipv6ip tunnel Automatic IPv6oIPv4 tunnel routers tunnel IPv6 addresses in the format 2002:IPV4ADDR::/48 Source: Amit's CISCO zone 48
Example configuration of IPv6 over IPv4 tunnel protocol - CISCO interface Tunnel0 no ip address ipv6 address 2001:db8:5678:1::2/64 ipv6 enable tunnel source 192.168.1.1 tunnel destination 192.168.2.1 tunnel mode ipv6ip 49
Any questions? 50