Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways - - PDF document
COLE POLYTECHNIQUE FDRALE DE LAUSANNE Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways and Firewalls, Gateways and Firewalls, VPNs VPNs Jean- -Yves Le Boudec Yves Le Boudec Jean Fall 2009 Fall 2009 1 Part 1:
1
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
2
network = packet transportation only private networks may want more protection
“access control”
separates Internet from intranet: all traffic must go through firewall
firewall itself cannot be penetrated
filtering router application or transport gateway
3
filtering rules based on :
port numbers, protocol type, control bits in TCP header (SYN packets)
filtering router prot srce addr dest addr srce dest action port port 1 tcp * 198.87.9.2 >1023 23 permit 2 tcp * 198.87.9.3 >1023 25 permit 3 tcp 129.132.100.7 198.87.9.2 >1023 119 permit 4 * * * * * deny intranet Internet
4
The example show 4 rules applied to the ports shown
Designing the set of rules employed in a firewall is a complex task; the set shown on the picture is much simpler than a real configuration. Packet filtering alone offers little protection because it is difficult to design a safe set of rules and at the same time offer full service to the intranet users.
5
normally not used according to the TCP/IP architecture but mainly used for access control also used for interworking issues
proxy principle: viewed by client as a server and by server as a client supports access control restrictions, authentication, encryption, etc
HTTP server HTTP client gateway logic TCP/IP TCP/IP HTTP client TCP/IP HTTP server HTTP Gateway 1 GET xxx.. 2 GET xxx.. 3 data 4 data intranet Internet A B
6
layer gateway. This results from the configuration at the client.
Then the HTTP request is issued again from the gateway to B as though it would be originating from A.
may also check the data, possibly decrypt, or reject the data.
Application layer gateways can be made for all application level protocols. They can be used for access control, but also for interworking, for example between IPv4 and IPv6.
7
independent of application code requires client software to be aware of the gateway
Transport Gateway (SOCKS Server) 1 GET xxx.. data :1080 SYN ACK SYN ACK SYN ACK A B :80 SYN connection relay request to B :80 ACK data relay OK 1 2 3 4
8
The transport gateway is a layer 4 intermediate system. The example shows the SOCKS gateways. SOKCS is a standard being defined by the IETF.
1080.
port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection request.
distinct TCP connections with their own, distinct ack and sequence numbers. Compared to an application layer gateway, the SOCKS server is simpler because it is not involved in application layer data units; after the connection setup phase, it acts on a packet by packet level. Its performance is thus higher. However, it requires the client side to be aware of the gateway: it is not transparent. Netscape and Microsoft browsers support SOCKS gateways.
9
intranet Internet Firewall =
intranet Internet Firewall = gateways + sacrificial subnet R2 R1
10
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
11
12
Frame Relay, ATM, X.25
Failed in this goal Used today as “super Ethernet” in IP backbones or at interconnection points Being replaced by MPLS
13
2 1 2 2 1 1 3
Switch S1 Switch S3 Switch S4 Switch S2 3 input conn Id
conn Id 3 3 1 2 2 2 1 2 input conn Id
conn Id 1 1 1 2 4 3 1 1 input conn Id
conn Id 1 1 2 1 4 2
14
Connection oriented = similar to telephone. Connections are also called virtual circuits. The connection oriented network layer uses connections that are known and controlled in all intermediate systems. Every packet carries a connection identifier which is either global (SNA) or local to a link (X.25, Frame Relay, ATM). The packet forwarding function is simple, based on table lookup. The control method involves
connection setup and release(building tables) connection routing
Connection oriented networks usually implement some mechanisms to control the amount of data sent on one connection, thus limiting losses due to statistical
SNA), and rate control (Frame Relay , ATM). Connection oriented networks give better control over individual traffic flows and are thus used in public networks where tariffing is a key issue (X.25, Frame Relay). IBM network architectures are also connection oriented (SNA, APPN). ATM is a connection
non- statistical multiplexing. ATM packets have a small, fixed size and are called cells.
15
high performance at low cost designed for very low delay And for hrdware implementation of switching functions
16
17
in ATM end points only
AAL5 in ATM adapter AAL5 in ATM adapter
variable length packet cells ATM switches
AAL5 in ATM adapter AAL5 in ATM adapter
18
Like a telephone number, similar to IPv6 address --- not a VPI/VCI
ARP Server (Address Resolution)
S
An ATMARP server is used:
ATMARP request to S. S responds with the ATM address of H2. H1 calls H2. When an ATM connection is established, InARP is used to confirm the IP addresses.
19
IP needs very large routing tables in the core network
for every packet look up more that 100 000 entries forwarding from the ISP point of view - just find the egress router
IP routing may ignore the real physical topology
ISP can put a router on the edge and use ATM/Frame Relay Virtual Path, switches in the middle edge router selects the path based on the destination address route look up done only once in the ISP network but still scalability problems
ATM can natively provide guaranteed service (allocate different rates to different ATM connections) Used to share infrastructure (several operators or one network – virtual providers) Also used to multiplex many users on an access network (cable, wireless)
20
IP IP over
MPLS IP IP over
MPLS
21
in
a/33 b/37
a d b c
src dst out * 129.88/16 b/28 * 128.178/15 b/28 18/8 129.88/16 b/30 src dst out * 128.178/15 b/70 * 129.88/16 b/70
a b a b
in
a/70 b/25 d/28 b/25 d/30 c/33 in
a/25 b/77 in
a/77 b/pop c/37 b/pop
a b a b a c b 129.88/16 128.178/15
28 129.88.38.1 25 129.88.38.1 77 129.88.38.1 129.88.38.1
src= 122.1.2.3
30 129.88.3.3 33 129.88.3.3 129.88.3.3 129.88.3.3 37
src= 18.1.2.3
22
1. An IP packet arrives, at MPLS node B, with source IP address 18.1.2.3 and destination IP address 129.88.3.3. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 30 in front of the IP packet and forward the packet to port b. 2. The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 33 and the packet forwarded to port c. 3. Similar 4. The packet arrives at node F. The table says that a packet arriving on port c with label 37 should be sent to port b and the label should be popped (removed). 5. The packet exits as an ordinary IP packet, without MPLS label. 6. An IP packet arrives, at MPLS node B, with source IP address 122.1.2.3 and destination IP address 129.88.38.1. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 28 in front of the IP packet and forward the packet to port b. 7. The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 77 and the packet forwarded to port b. 8. The packet’s label was removed by node F 9. Observe how after node C this packet’s path follows the same as the previous packet’s.
23
LSR (Label Switch Router) Ingress LER (Label Edge Router) Egress LER (Label Edge Router) LIB (Label Information Base) 129.88/16 FEC (Forward Equivalence Class) 128.178/15
FEC in out xxx a/70 b/25 yyy c/28 d/33
LSP (Label Switched Path) a c b d
src dst out * 128.178/15 b/70 18/8 129.88/16 b/28
FEC - Label Mapping
24
ingress LER classifies packets to identify FEC that determines a label; inserts the label (32 bits)
Labels may be stacked on top of labels
LSR switches based on the label if present, else uses IP routing Forwarding Equivalence Classes (FEC)
group of IP packets, forwarded in the same manner, over the same path, and with the same forwarding treatment (priority) FEC may correspond to
destination IP subnet source and destination IP subnet traffic class that LER considers significant
Label Switching tables can be built using a Label Distribution Protocol, which can be implemented as an addition to the routing protocol (e.g. OSPF, IGMP, BGP)
25
AS x AS y AS z E-BGP
Alternative to redistribution or running I-BGP in all backbone routers:
Associate MPLS labels to exit points Example:
R2 creates a label switched path to 2.2.2.2 At R2: Packets to 18.1/6 are associated with this label R1 runs only IGP and MPLS – no BGP – only very small routing tables Can be used to provide quality of service
E-BGP R4 R1 R2 R5 R6 18.1/16 I-BGP MPLS IGP MPLS
To NEXT-HOP layer-2 addr 18.1/16 2.2.2.2 MPLS label 23
26
Labels have only local significance, may be changed at every hop
27
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
La durée d'écoute est désormais limitée : sans action de votre part (un simple clic), la diffusion s'arrête au bout d'un temps déterminé selon les
imposent un coût dépendant de la durée et du nombre d'auditeurs. Plusieurs éléments nous indiquent que les internautes ayant accès à l'internet illimité ne coupent pas l'écoute, lorsqu'ils quittent leur ordinateur allumé. Radio France ne peut continuer à financer pour celui qui n'écoute
un peu contraignant, mais qui nous permet de mieux contrôler les coûts de diffusion. La durée d'écoute est désormais limitée : sans action de votre part (un simple clic), la diffusion s'arrête au bout d'un temps déterminé selon les
imposent un coût dépendant de la durée et du nombre d'auditeurs. Plusieurs éléments nous indiquent que les internautes ayant accès à l'internet illimité ne coupent pas l'écoute, lorsqu'ils quittent leur ordinateur allumé. Radio France ne peut continuer à financer pour celui qui n'écoute
un peu contraignant, mais qui nous permet de mieux contrôler les coûts de diffusion.
h t t p : / / v i p h t t p . y a c a s t . n e t / V 4 / r a d i
r a n c e / f i p _ b d . m 3 u
28
29
1 → n as well as n → m
224.0.0.0 to 239.255.255.255 232/8 reserved for SSM (see later) 224/4
FF00::/8
No topological information, does not give any information about where the destinations (listeners) are Routers keep have to keep state information for each multicast address
host 1 194.199.25.100 194.199.25.100 source source host 3 receiver receiver 133.121.11.22 133.121.11.22 host 2 receiver receiver 194.199.25.101 194.199.25.101 multicast group 225.1.2.3
30
any host may belong to a multicast group
no authorization required
host may belong to many different groups
no restriction
source may send a packet to a group no matter if it belongs to the group or not
membership not required
group is dynamic
a host may subscribe or leave at any time
host (source/receiver) does not know the identity of group members
use TTL: LAN (local scope), Campus/admin scoping
31
hosts subscribe via IGMP join messages sent to router routers build distribution tree via multicast routing sources do not know who destinations are packet multiplication is done by routers
1 S sends packets to multicast address m; there is no member, the data is simply lost at router R5. 2 A joins the multicast address m. 3 R1 informs the rest of the network that m has a member at R1; the multicast routing protocol builds a tree. Data sent by S now reach A. 4 B joins the multicast address m. 5 R4 informs the rest of the network that m has a member at R4; the multicast routing protocol adds branches to the
and B. 1 S sends packets to multicast address m; there is no member, the data is simply lost at router R5. 2 A joins the multicast address m. 3 R1 informs the rest of the network that m has a member at R1; the multicast routing protocol builds a tree. Data sent by S now reach A. 4 B joins the multicast address m. 5 R4 informs the rest of the network that m has a member at R4; the multicast routing protocol adds branches to the
and B. R5 R1 R2 R4 A B S to m 1 IGMP: join m 2 4 3 5 5
Multicast routing
32
Same as sending a packet to unicast address
struct ip_mreq { struct in_addr imr_multiaddr; /* IP multicast address of group */ struct in_addr imr_interface; /* local IP address of interface */ }; struct ip_mreq mreq; rc = setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *) &mreq, sizeof(mreq) ); IN_MULTICAST(a) tests whether a is a multicast address
33
network (multicast routing) must find all sources and route from them A proposed alternative called SSM (Source Specific Multicast) multicast group - a channel identified by:
{@source, @multicast}
single-source model
{S, M} and {S’, M} are disjoint
destinations have to find who the sources are, not the network
host must learn source address out of band (Web page)
n → m still possible with many 1 → n channelsrequires source selection (host- to-router source and group request)
Include-Source list of IGMPv3 MLD (Multicast Listener Discovery for IPv6), replacement of IGMP for IPv6
IANA assigned 232/8 and FF3X::/96
34
35
JOIN (A, G) announced with IGMP
PIM JOIN (A,G) Channel (A, G) built between source and receiver
Router keeps (S, G) state for each source S and each multicast group address G Tree is built by using unicast routing tables towards the source
PIM-JOIN messages sent from one router to upstream neighbour
There is no Path Computation algorithm, relies on routing tables built by unicast routing protocols
36
IP multicast is implemented on research networks (Switch, Geant, etc) Also used by specific environments (e.g. financial) Not generally available (yet) to the general public in its general form SSM multicast deployments are starting Tunneling can be used to connect a non multicast capable network to a multicast capable one (MBONE)
within a multicast area: native multicast in a tunnel: muticast packets are encapsulated in unicast IP packets
37 multicast routers multicast routers multicast routers multicast routers sou source ce receive receiver encapsulatio capsulation dst = unicast @R2 dst = unicast @R2 decapsulat decapsulation
R2 R2 R1 R1 IP dest=adr_R2 IP dest=mcast payload
unicast only unicast only routers routers
38
On a network offering no IP multicast support (today’s internet) Examples: content distribution networks
39
IP multicast allows to reduce traffic by controlled packet replication Multicast routers are “stateful” Initial multicast allows any source to send to a multicast address
Routing is complex
Application layer multicast can be used even without IP multicast Multicast IP does not work with TCP
Ad-hoc “reliable multicast” protocols were developed
40
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE
41
ssh IPSEC and VPNs
42
First look at the configuration without SSH
Email user agent connects to POP server 110 is the TCP port reserved for POP 9876 is a ephemral port allocated to email user agent by the operating system
43
44
Assume A wants to use SSH to connect to the mail server S, using POP Q1: Why would A want this ? A1: to make sure that email between A and S is encrypted. Or because S is behind a firewall that does not accept TCP connections to ports other than ssh. Q2: describe the content of a packet from A to B visible at point 1. A2: contains an encrypted block of data inside a TCP packet with srce port=22, dest port=3456, IP srce=A, IP dest=S
45
Assume A wants to use SSH to connect to the mail server S, using POP Q1: Why would A want this ? sshd is the ssh “daemon”, i.e the ssh server. It runs on S in this example. sshd listens to the well known port 22, reserved for ssh. The user at A starts an ssh connection to S by launching the ssh client. The ssh client
from port 3456 to S, destination port 22. A can talk to S over this TCP connection (for example, the user at A can issue commands on S). (port redirection) ssh at A opens a server port 1234. All packets received by ssh at A on port 1234 from localhost (green line) are sent to S, received by sshd at S, and sent again to S locally, to port 22. The user must decide which port on A is redirected to which port on S. The mapping so constructed is called an “SSH tunnel” The email user agent at A must be instructed to connect to a POP server at IP address = localhost and server port number = 1234 The traffic on the red TCP connection between A and S is encrypted. Different connections (called “channels”) can be multiplexed on one single TCP connection between A and S. ssh implements a sliding window protocol on top of TCP, with fixed window size, one window per channel Q2: describe the content of a packet from A to B visible at point 1. This is only one specific example, there are many other possibilities. This example is redirection of local port (ssh on A redirects the port 1234 on A to 110 on S). It is possible to redirect a remote port as well, and UDP traffic can be redirected as well. solution
46
Multiple channels multiplexed into a single connection at the ssh-trans level Channels identified by numbers on each end Channels are flow-controlled
window size - amount of data to send CHANNEL_OPEN (id, w) ssh sshd CHANNEL_CONFIRM (id, w) CHANNEL_DATA (id) CHANNEL_WINDOW (id, w1)
47
example: WLAN access to EPFL network example: video player to screen
authentication (AH header)
host to host mode also exists basic building block for VPN
48
IP hdr IP data ESP hdr IP hdr
IP hdr IP data
Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.33 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : epfl.ch IP Address. . . . . . . . . . . . : 128.178.83.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 128.178.83.22 Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.33 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : epfl.ch IP Address. . . . . . . . . . . . : 128.178.83.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 128.178.83.22
49
50
it is an EPFL subnet. The VPN router belongs to it.
IP packets are generated by applications at A with source address
128.178.83.22, encrypted and encapsulated in IP packets with source address
192.168.1.33. This is a tunnel (= there is encapsulation ) . At the end of the
tunnel, the VPN router decrypts the packets, and places them on the EPFL network
the EPFL address 128.178.83.22
The VPN router must perform proxy ARP – otherwise, same as access over a modem (see slide « Proxy ARP »).