21c3 NOC Overview Concepts, Implementation and Hardware Christian - - PowerPoint PPT Presentation

21c3 noc overview
SMART_READER_LITE
LIVE PREVIEW

21c3 NOC Overview Concepts, Implementation and Hardware Christian - - PowerPoint PPT Presentation

Jul 04, 2023 320 likes •509 views

21c3 NOC Overview Concepts, Implementation and Hardware Christian Carstensen, Sebastian Werner & The 21c3 NOC Crew The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 1/18 Overview What will we cover: Overview Networking

slide-1
SLIDE 1

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 1/18

21c3 NOC Overview

Concepts, Implementation and Hardware

Christian Carstensen, Sebastian Werner & The 21c3 NOC Crew

slide-2
SLIDE 2
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 2/18

Overview

What will we cover:

■ Routing Terms explained ■ Recall 20c3 ■ Solving the Problems ■ Networking requirements ■ BCC Networklayout how it should be ■ Networklayout reality

slide-3
SLIDE 3
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 3/18

Networking terms

■ Layer 2 OSI Data Link Layer. e.g. Ethernet or 802.11a ■ Switch Layer 2 based interconnection device between

physical networks

■ Layer 3 OSI Network Layer. e.g. IP or IPX ■ Router Layer 3 device that connects Layer 2 segments

logically

■ Layer 4 OSI Transport Layer. e.g. UDP or TCP ■ LAN Provides physical network connectivity. ■ VLAN Devides a LAN into several logical/virtual LANs using

the same physical link.

■ Flow based routing Routing Switching on Layer 2 after a route

lookup using MAC instead of IP

slide-4
SLIDE 4
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 4/18

Recall 20c3 - Situation

■ New Building with unknown problems... ■ about 20 different rooms with specific access profile ■ 4 floors interconnected through floor D ■ different network hardware arrived ■ lack of facility documentation ■ rogue services (dhcp) and hardware (access points!!)

slide-5
SLIDE 5
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 5/18

Recall 20c3 - Consequences

■ Layer3 networks connected via L2 backbone ■ 2 routers did all routing work ■ Initial cabling insufficient ■ WLAN got flaky ■ DHCP became unreliable ■ A lot of extra work

slide-6
SLIDE 6
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 6/18

Recall 20c3 - Reasons

■ Many VLANs that got “trunked“ ■ Attacks on flow based routing equipment (TCAM full!) ■ Hardware (HP

, Foundry) got overload

■ Patching cables on undocumented panels is hard ■ Too many nodes in the WLAN and too powerful transcievers ■ Lack of network monitoring ■ Lack of user (available) documentation ■ Finally: fatigued NOCpeople...

slide-7
SLIDE 7
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 7/18

Solution strategy

Keep it simple!

■ Smaller collision domains (Layer2 segments) ■ Avoiding tagged (dot1q) / trunked (isl) vlans ■ Routing not on L3 switches but on real full-featured routers ■ Reduced trust in 802.11b (Do NOT expect it to work!) ■ Focus on 802.11a ■ Explicit effort to ensure documentation ■ NOC Help Desk

slide-8
SLIDE 8
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 8/18

Special demands

■ Entrance needs to be exclusively linked to the Orga Area ■ Network-Jacks for speakers need highly-available uplink ■ WLAN (Soekris) need dedicated cabling (PoE!) ■ Helpdesk and Public Terminals should have high-available

uplink

■ Video streams should be privileged ■ Projects need “dynamic VLANing” ■ Wireless Mesh needs WLAN Channel 10 exclusively ■ Server storage/housing for projects

slide-9
SLIDE 9
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 9/18

Network Services

■ DomainNameService (recursive & authoritative) 82.130.23.35 ■ User DNS Registration

https://yourname.congress.ccc.de

■ DHCP Service https://yourname.congress.ccc.de ■ IPSEC Frontend

https://illuminatheros.congress.ccc.de

slide-10
SLIDE 10
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 10/18

BCC Network Layout - Logical

Uplink

Lützowstr

Uplink BCC

C91 A85 B90.01 C57 A87 D57

Juniper N ETWORK S TM LT M5 P I nternet rocessor AUX/MODEM CONSOLE MGMT PIC 0/3 PIC 0/2 PIC 0/1 PIC 0/0 R ETHERNET 1000 BASE-LX LINE RX ACTI V ITY RX TX STATUS

1000SX

PoE Switch

Server Video NOC

ETHERNET 100BASE-TX STATUS PORT 1 RX LINK PORT 0 RX LINK PORT 2 RX LINK PORT 3 RX LINK ETHERNET 1000 BASE-LX LINE RX ACTI V ITY RX TX STATUS

2mbit bcc.gate l2.core

Blinken Haecksen Engel Lockpick Workshop Wikipedia Art&Beauty POC Wireless Helpdesk Saal1 Public C Public B Public C Saal2 Saal3 CERT Kasse INFO Hackcenter 1 Hackcenter 2 Funk Orga

Soekris C Soekris B Soekris A c91.core a87.core a85.core b90.core c57.core trust.core d57.core IPSec

Uplink Netz Backbone (Gbit SX Trunk) BCC Hausnetz Gbit Netz Wlan Netz Kassen Netz Patch Verkabelung

slide-11
SLIDE 11
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 11/18

BCC Network Layout - OSPF

slide-12
SLIDE 12
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 12/18

Hardware

■ Inhouse Internet Uplink: Juniper M7i ■ D57 (Core): Cisco Catalyst 6509 ■ C57 (Ebene C): Cisco Catalyst 4507 ■ B90 (Ebene B): Cisco Catalyst 4506 ■ A85 (HackCenter 1): Cisco Catalyst 6513 ■ A87 (HackCenter 2): Cisco Catalyst 4006 ■ Access Layer: HP ProCurve 5308xl, Cisco 3750, Cisco

3550, Cisco 4908

slide-13
SLIDE 13
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 13/18

Implementation

■ OSPF between core layer devices ■ Multiple gigabit (etherchannel) interconnects ■ VLAN Trunking for access layer devices ■ DHCP forwarding from every VLAN to the DHCP via

‘ip-helper‘

slide-14
SLIDE 14
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 14/18

Internet uplink

■ 1000.baseLX uplink (Thanks to Versatel!) ■ Own AutonomousSystemNumber (temp. AS34254) ■ Everyone gets a world reachable IP (temp. 82.130.0.0/18) ■ 3 Juniper Network M7i routers ■ internal BGP between those ■ external BGP sessions from 2 routers ■ Native peerings with interroute21, Cogentco

slide-15
SLIDE 15
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 15/18

IP Uplink Topology

DECIX DHOSTING BCC NETSIGN S1000.baseTX 1000.baseSX Juniper M7i berlin.gate STM1 1000.baseLX Juniper M7i istanbul.gate BCIX 1000.baseSX

Cogentco Interroute21 IN-Berlin DFN

1000.baseSX Versatel 1000.baseLX Juniper M7i bern.gate CORE_D

slide-16
SLIDE 16
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 16/18

IPSEC Realisation

■ IPv4 and IPv6 ■ Based on OpenBSD isakmpd ■ X.509/ssh cert-/key-based authentication ■ Anonymised users ■ Non platform specific ■ Work in progress

slide-17
SLIDE 17
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 17/18

Using and abusing the network

■ Staticly add MAC of your gateway ■ Have you ever thought about ICMP route redirects? ■ Contact NOC Helpdesk for network problems: Phone

1234-NONET

■ Spanning tree HAS a purpose - YOU destroy YOUR network!

slide-18
SLIDE 18
  • Overview
  • Networking terms
  • Recall 20c3 - Situation
  • Recall 20c3 - Consequences
  • Recall 20c3 - Reasons
  • Solution strategy
  • Special demands
  • Network Services
  • BCC Network Layout - Logical
  • BCC Network Layout - OSPF
  • Hardware
  • Implementation
  • Internet uplink
  • IP Uplink Topology
  • IPSEC Realisation
  • Using and abusing the

network

  • Sponsors

The 21c3 NOC Crew, January 9, 2005 21c3 NOC Overview - p. 18/18

Sponsors

Internet routers

Backbone routers

Routing equipment

Switches

Upstream connectivity

■ Interroute21 - Upstream connectivity ■

Upstream connectivity

Internet uplink