VLAN und MPLS, Firewall und NAT, Wiederholung
Transcription
VLAN und MPLS, Firewall und NAT, Wiederholung
Internet-Technologien (CS262) VLAN und MPLS, Firewall und NAT, 15.4.2015 Christian Tschudin 6-1 Departement Mathematik und Informatik, Universität Basel Wiederholung Unterschied CSMA/CD und CSMA/CA? Was ist das «Hidden Terminal» Problem? In dieser Vorlesung: Zwei (LAN-)Virtualisierungstechniken (VLAN, MPLS) NAT und Firewall Wireless, Mobile Networks 6-2 VLANs: motivation consider: Computer Science Electrical Engineering VLANs Virtual Local Area Network switch(es) supporting VLAN capabilities can be configured to define multiple virtual LANS over single physical LAN infrastructure. Computer Engineering CS user moves office to EE, but wants connect to CS switch? single broadcast domain: all layer-2 broadcast traffic (ARP, DHCP, unknown location of destination MAC address) must cross entire LAN security/privacy, efficiency issues Link Layer 5-3 port-based VLAN: switch ports grouped (by switch management software) so that single physical switch …… 1 7 9 15 2 8 10 16 … … Electrical Engineering (VLAN ports 1-8) Computer Science (VLAN ports 9-15) … operates as multiple virtual switches 1 7 9 15 2 8 10 16 … Electrical Engineering (VLAN ports 1-8) … Computer Science (VLAN ports 9-16) Link Layer 5-4 Port-based VLAN router traffic isolation: frames to/from ports 1-8 can only reach ports 1-8 can also define VLAN based on MAC addresses of endpoints, rather than switch port dynamic membership: ports can be dynamically assigned among VLANs 1 7 9 15 2 8 10 16 … … Computer Science (VLAN ports 9-15) Electrical Engineering (VLAN ports 1-8) forwarding between VLANS: done via routing (just as with separate switches) in practice vendors sell combined switches plus routers Link Layer 5-5 VLANS spanning multiple switches 1 7 9 15 1 3 5 7 2 8 10 16 2 4 6 8 … Electrical Engineering (VLAN ports 1-8) … Computer Science (VLAN ports 9-15) Ports 2,3,5 belong to EE VLAN Ports 4,6,7,8 belong to CS VLAN trunk port: carries frames between VLANS defined over multiple physical switches frames forwarded within VLAN between switches can’t be vanilla 802.1 frames (must carry VLAN ID info) 802.1q protocol adds/removed additional header fields for frames forwarded between trunk ports Link Layer 5-6 802.1Q VLAN frame format type preamble dest. address source address data (payload) CRC 802.1 frame type preamble dest. address source address data (payload) 2-byte Tag Protocol Identifier (value: 81-00) CRC 802.1Q frame Recomputed CRC Tag Control Information (12 bit VLAN ID field, 3 bit priority field like IP TOS) Link Layer 5-7 Link layer, LANs: outline 5.1 introduction, services 5.5 link virtualization: MPLS 5.2 error detection, correction 5.6 data center networking 5.3 multiple access protocols 5.7 a day in the life of a web request 5.4 LANs addressing, ARP Ethernet switches VLANS Link Layer 5-8 Multiprotocol label switching (MPLS) initial goal: high-speed IP forwarding using fixed length label (instead of IP address) fast lookup using fixed length identifier (rather than shortest prefix matching) borrowing ideas from Virtual Circuit (VC) approach but IP datagram still keeps IP address! PPP or Ethernet header MPLS header label 20 IP header remainder of link-layer frame Exp S TTL 3 1 5 Link Layer 5-9 MPLS capable routers a.k.a. label-switched router forward packets to outgoing interface based only on label value (don’t inspect IP address) MPLS forwarding table distinct from IP forwarding tables flexibility: MPLS forwarding decisions can differ from those of IP use destination and source addresses to route flows to same destination differently (traffic engineering) re-route flows quickly if link fails: pre-computed backup paths (useful for VoIP) Link Layer 5-10 MPLS versus IP paths R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP router Link Layer 5-11 MPLS versus IP paths entry router (R4) can use different MPLS routes to A based, e.g., on source address R6 D R4 R3 R5 A R2 IP routing: path to destination determined by destination address alone IP-only router MPLS routing: path to destination can be based on source and dest. address MPLS and IP router fast reroute: precompute backup routes in case of link failure Link Layer 5-12 MPLS signaling modify OSPF, IS-IS link-state flooding protocols to carry info used by MPLS routing, e.g., link bandwidth, amount of “reserved” link bandwidth entry MPLS router uses RSVP-TE signaling protocol to set up MPLS forwarding at downstream routers RSVP-TE R6 D R4 R5 modified link state flooding A Link Layer 5-13 MPLS forwarding tables in label out label dest 10 12 8 out interface A D A 0 0 1 in label out label dest out interface 10 6 A 1 12 9 D 0 R6 0 0 D 1 1 R3 R4 R5 0 0 R2 in label 8 out label dest 6 A out interface in label 6 outR1 label dest - A A out interface 0 0 Link Layer 5-14 Wireless, Mobile Networks 6-15 Network Address Translation (NAT) Lieberherr and El Zarki: Mastering Networks: An Internet Lab Manual Addison-Wesley 2004 http://www.cs.virginia.edu/~itlab/book/ Relates to Lab 7. Module about private networks and NAT. Private Network Private IP network is an IP network that is not directly connected to the Internet IP addresses in a private network can be assigned arbitrarily. Not registered and not guaranteed to be globally unique Generally, private networks use addresses from the following experimental address ranges (non-routable addresses): 10.0.0.0 – 10.255.255.255 172.16.0.0 – 172.31.255.255 192.168.0.0 – 192.168.255.255 Private Addresses H1 10.0.1.2 H3 H2 H4 10.0.1.2 10.0.1.3 10.0.1.1 10.0.1.3 10.0.1.1 Private network 1 Private network 1 Internet R1 128.195.4.119 128.143.71.21 213.168.112.3 H5 R2 Network Address Translation (NAT) NAT is a router function where IP addresses (and possibly port numbers) of IP datagrams are replaced at the boundary of a private network NAT is a method that enables hosts on private networks to communicate with hosts on the Internet NAT is run on routers that connect private networks to the public Internet, to replace the IP address-port pair of an IP packet with another IP address-port pair. Basic operation of NAT NAT device has address translation table Main uses of NAT (Overview) Pooling of IP addresses Supporting migration between network service providers IP masquerading Load balancing of servers Pooling of IP addresses Scenario: Corporate network has many hosts but only a small number of public IP addresses NAT solution: Corporate network is managed with a private address space NAT device, located at the boundary between the corporate network and the public Internet, manages a pool of public IP addresses When a host from the corporate network sends an IP datagram to a host in the public Internet, the NAT device picks a public IP address from the address pool, and binds this address to the private address of the host Pooling of IP addresses Private network Internet = 128.143.71.21 Source Destination = 213.168.112.3 = 10.0.1.2 Source Destination = 213.168.112.3 NAT device private address: 10.0.1.2 public address: H1 public address: 213.168.112.3 H5 Private Address Public Address 10.0.1.2 Pool of addresses: 128.143.71.0-128.143.71.30 Supporting migration between network service providers Scenario: In CIDR, the IP addresses in a corporate network are obtained from the service provider. Changing the service provider requires changing all IP addresses in the network. NAT solution: Assign private addresses to the hosts of the corporate network NAT device has static address translation entries which bind the private address of a host to the public address. Migration to a new network service provider merely requires an update of the NAT device. The migration is not noticeable to the hosts on the network. Note: The difference to the use of NAT with IP address pooling is that the mapping of public and private IP addresses is static. Supporting migration between network service providers IP masquerading Also called: Network address and port translation (NAPT), port address translation (PAT). Scenario: Single public IP address is mapped to multiple hosts in a private network. NAT solution: Assign private addresses to the hosts of the corporate network NAT device modifies the port numbers for outgoing traffic IP masquerading Load balancing of servers Scenario: Balance the load on a set of identical servers, which are accessible from a single IP address NAT solution: Here, the servers are assigned private addresses NAT device acts as a proxy for requests to the server from the public network The NAT device changes the destination IP address of arriving packets to one of the private addresses for a server A sensible strategy for balancing the load of the servers is to assign the addresses of the servers in a round-robin fashion. Load balancing of servers Concerns about NAT Performance: Modifying the IP header by changing the IP address requires that NAT boxes recalculate the IP header checksum Modifying port number requires that NAT boxes recalculate TCP checksum Fragmentation Care must be taken that a datagram that is fragmented before it reaches the NAT device, is not assigned a different IP address or different port numbers for each of the fragments. Concerns about NAT (2) End-to-end connectivity: NAT destroys universal end-to-end reachability of hosts on the Internet. A host in the public Internet often cannot initiate communication to a host in a private network. The problem is worse, when two hosts that are in a private network need to communicate with each other. Concerns about NAT (3) IP address in application data: Applications that carry IP addresses in the payload of the application data generally do not work across a private-public network boundary. Some NAT devices inspect the payload of widely used application layer protocols and, if an IP address is detected in the application-layer header or the application payload, translate the address according to the address translation table. NAT and FTP Normal FTP operation NAT and FTP NAT device with FTP support NAT and FTP FTP in passive mode and NAT. Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others public Internet administered network trusted “good guys” Network Security firewall untrusted “bad guys” Firewalls: why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network set of authenticated users/hosts three types of firewalls: stateless packet filters stateful packet filters application gateways Network Security Stateless packet filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Network Security Stateless packet filtering: example example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Network Security Stateless packet filtering: more examples Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Network Security Access Control Lists ACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs action source address dest address protocol source port dest port allow 222.22/16 outside of 222.22/16 TCP > 1023 80 allow outside of 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 222.22/16 outside of 222.22/16 flag bit any Network Security Stateful packet filtering stateless packet filter: heavy handed tool admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action allow source address dest address outside of 222.22/16 222.22/16 protocol source port dest port flag bit TCP 80 > 1023 ACK stateful packet filter: track status of every TCP connection track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense” timeout inactive connections at firewall: no longer admit packets Network Security Stateful packet filtering ACL augmented to indicate need to check connection state table before admitting packet action source address dest address proto source port dest port allow 222.22/16 outside of 222.22/16 TCP > 1023 80 allow outside of 222.22/16 TCP 80 > 1023 ACK allow 222.22/16 UDP > 1023 53 --- allow outside of 222.22/16 222.22/16 UDP 53 > 1023 ---- deny all all all all all all 222.22/16 outside of 222.22/16 flag bit check conxion any x x Network Security Application gateways gateway-to-remote host telnet session host-to-gateway telnet session filters packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside. application gateway router and filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. Network Security Firewalling with a 1:1 NAT U of Basel has a1:1 NAT (internal IP address == external IP address) Serves automatically as a simple firewall Only outgoing (TCP, UDP) sessions allowed Independent from and additionally to the NAT box: IDS (intrusion detection system) DPI (deep packet inspection) Wireless, Mobile Networks 6-45 Application gateways filter packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside host-to-gateway telnet session application gateway router and filter gateway-to-remote host telnet session 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway. Network Security Limitations of firewalls, gateways IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser Network Security filters often use all or nothing policy for UDP tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks