Network Administration IP Addresses

Introduction

Network Administration IP addresses

Toward IPv6 Grégory Mounié Host name SCCI - Master-2 Routing <2013-09-17 mar.> Services

Integration between diﬀerent OS

1 / 75 2 / 75

IP addresses

For people with sufficient background: Toward IPv6 easy Chat on google talk (or facebook) with XMPP on wifi-campus/eduroam of the campus Host name hard Surf on ipv6.google.com on wifi-campus/eduroam of the campus Routing

Services

Integration between diﬀerent OS

3 / 75 3 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Networks Networks of networks

Deﬁnition (network) group of interconnected machines Deﬁnition (Internet)

• network of networks • based on TCP (Transmission Control Protocol) and IP (Internet Protocol) protocols

Figure : Interconnection of networks

4 / 75 5 / 75

• unique number identifying a Network interface • eg. IPv6: 2a00:1450:4009:804::1007; Internet Protocol • IPv4: 74.125.230.130 • identiﬁes network interfaces • eg. IPv6: fe80::2677:3ff:fe2e:22c0/64; • handles routing • IPv4: 192.168.0.1 • eg. IPv6: ; • fragmentation of data into packets ::1 • IPv4: 127.0.0.1

Transmission Control Protocol Two parts in a single number • transmissions in connected mode • ﬁxed size number • error corrections, packets arriving in order • parts of variable length • beginning part : network ID • ending part : host ID

6 / 75 7 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS IP address notation Network IPv4 classes

3 classes of networks : the problem of the 3 bears

IPv6 16 bytes, 128 bits, hexadecimal notation class A • few networks • lots of hosts • aaaa:bbbb:cccc:dddd:eeee:ffff:gggg:hhhh • NNN.mmm.mmm.mmm • :: replace a single 0 sequence class B • not enough of middle size networks IPv4 4 bytes, 32 bits, decimal notation • NNN.NNN.mmm.mmm • aaa.bbb.ccc.ddd class C • lots of networks • few hosts • NNN.NNN.NNN.mmm

8 / 75 9 / 75

Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Network mask Special IPv6 addresses • flexible network/machine ID size Which bits are used for network ID and which bits are used for host ID ? • 0:0:0:0:0:0:0:0, :: : host not specified • notation: =ip address=/X ; the X first bits are the network • FE80::/10 (truly /64) : link-local address (autoconf) address • FEC0::/10 : site-local address, non routed on Internet • IPv4 address mask denoted 255.255.255.0 • FF00::/8 : address multicast (0b1111111111111111111111100000000) • ::1/128 : loopback Various masks • ::FFFF:(IPv4 address) : double stack for IPv4 mapping • ::(IPv4 address) : IPv4 compatibility address • fe80::2677:3ff:fe2e:22c0/64 : 64 bits network ID • 255.255.255.0 : mask for IPv4 class C network • 255.0.0.0 : mask for IPv4 class A network • 255.128.0.0 : IPv4 mask: 9 bits for network, 23 bits for hosts

10 / 75 11 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Special IPv4 addresses Basic configuration

• 0.0.0.0 : this host, or default • 0.host : un host of the local network • ifconﬁg command • 255.255.255.255 : local broadcast • ifconﬁg -a : list all available interfaces • PrefixNet.[1]+ : local broadcast • ip command • PrefixNet.PrefixSubnet.[1]+ : idem • ip link; ip addr • 127.x.x.x : loopback ifconfig eth0 add 2a00:1450:4007:803::1017/64 • 10/8, 172.16/12, 192.168/16 : private network ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up • 169.254.x.y : zeroconf (bonjour) autoconf (for local usage only)

12 / 75 13 / 75

• In 1993, IPv4 become classless : remaining C networks were • IPv4 name adress space is too small. grouped in (21 bits, 2048 hosts) networks and distributed • Transition path was planned with the IPv6 standard (RFC geographically : 2460, 1998): • Europe : 194-195.x.x.x • Dual stack public IP address during the transition • America : 198-199.x.x.x • Asia : 202-203.x.x.x Planned transition failure Large usage of private networks (NAT) • Nobody has done the transition. • All plan used double stack strategies. • Major architecture change. • No public IPv4 address anymore (IANA: 3 fev 2011 !) ! • One-way Internet connection for personal use: 1 public IP address per your DSL box (your CPE: customer premises equipment) • New services and protocols become undeployable !

14 / 75 • Mobile phone routing (how to route efficiently multiple private 15 / 75 network ?) Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS IPv4 is a zombie II IPv4 is a zombi III

Early adopters have a lot of remaining addresses NAT Zoo • people with competences have plenty of IPv4 adresses: • NAT44 : your home, your phone network • eg: recent wifi-campus and eduroam give one IPv4 address • NAT 444 : asia and africa : not a single public IP anymore ! per connected student • NAT 64 : early adopters • people without enough IPv4 address have not the competence • NAT 66 : NAT lovers to manage IPv6 network • NAT 464 ou 646 ??

16 / 75 17 / 75

Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Is IPv6 ready ? IPv6 Transition Big software are ready. (Chicken and eggs problem for small software) 5 main strategies: http://www.google.com/ipv6/statistics.html 1. full dual stack: not for everybody • 2% of google access (France 5%, Germany 4.5 %, Romania 2. tunnel: IPv6 over IPv4 to connect IPv6 islands 7.5%) • trouble with MTU 3. 6rd : CPE (your box) encapsulate IPv6 to the boundaries of http://6lab.cisco.com/stats/ the FAI • Free • France: 48% of prefix; 71.4% Transit AS; 50% Content; 5% 4. DS-Lite: the opposite of 6rd: encapsulate IPv4 packets in a users; IPv6 FAI network to the boundaries of the FAI. Grenoble academic science 5. NAT64: to connect to the remaining Internet from IPv6 only computer • IPv6 address space mapping of Grenoble universities and • very useful without IPv4 address (Mobile carrier soon ?) laboratories exists since 2001 • working at the main routers level • not deployed yet to end-user save exception 18 / 75 19 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Host names URL

• Uniform Resource Locator • needed for human readable names • IP address may change ⇒ name does not change • association between names and addresses • several names can be associated to the same address • several address can be associated to the same name

Host name versus authentication A host name and its associated IP, are not suﬃcient as authentication !

20 / 75 21 / 75

Domain Name System (DNS) • hierarchy • subdomains : en.wikipedia.org different mechanisms • recursive address resolution • configuration in /etc/nsswitch.conf • heavy use of caching • DNS servers IP : /etc/resolv.conf • slow propagation of changes (up to several days) • different addresses may be seen for a name if requests originate • /etc/hosts : list of known hosts from different places • may be the cause of process stall

Host name versus authentication A host name and its associated IP, are not suﬃcient as authentication !

22 / 75 23 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS DNSSEC Private Network is not a protection • private IP ⇒ no direct connection from Internet • still indirect connection are possible

Browser + DNS attack • No security in the original design ⇒ forged address by 1. Browsers download web pages including javascript code man-in-the-middle attack 2. Javascript code can connect only with the server • Digitally sign the record with public key cryptography and a 3. the server IP is given by the DNS of the server chain of trust (subdomain key is recursively authenticated by 4. the DNS of the server may choose a small timeout for the its domain, the root are trusted) caching of the resolution 5. the DNS may answer a diﬀerent address at the second resolution 6. the DNS answer may include a private IP adress 7. Javascript may connect to any local computer with private IP (eg. your DSL box and its conﬁguration)

24 / 75 25 / 75

• Not enough ethernet plug in an oﬃce ⇒ add a 10 euros • routing handled by the IP protocol switch in the oﬃce • routes are found from neighbors to neighbors • Wait some time ⇒ the switch is connected with two of its • possibility of several routes from source to target ports to two plugs • routes could be asymmetric • enjoy your slow network due to packet loop of every broadcast • bugs: cycle, sink, half-broken routes, . . . packet • mechanisms to destroy packets (TTL) • mechanisms to inform sender of the troubles (ICMP) Cables are the problem Cables are always the problem.

26 / 75 27 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Example of bad routing (real case II) IP headers • Security is important, thus ICMP is filtered. • Somebody needs of a large bandwidth between two cities ⇒ multiway connection with automatic load-balancing • somebody check the performance: it is working ! • One of the way become broken (somebody change routing somewhere in the path, or unplug a cable) • High loss rate of TCP packets ⇒ slow but working TCP connections. • End point observation of the traffic is quite normal (no ICMP error packet reported) • Wait months, or years, before somebody really check again the performance and spot the problem. ICMP filtering Network are complex ! ICMP packets are important ! Filtering ICMP increase the difficulty to debug any problem. 28 / 75 29 / 75

• on each host : a table indicating to what network interface a packet should be routed • many possible destinations ⇒ table contains generally network addresses rather than hosts addresses

• table displayed and conﬁgured by the ip or the route commands

30 / 75 31 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS ip=/=route Traceroute6 ~> $ traceroute6 ucla.edu traceroute to ucla.edu (2607:f010:3fe:101:0:ff:fe01:32), 30 hops max, 80 byte packets 1 2a01:e35:2433:1510::1 (2a01:e35:2433:1510::1) 3.444 ms 3.396 ms 3.377 ms • man ip 2 * * * • ip route add 2a00:1450:4007:803::/64 dev eth0 3 th2-crs16-1.intf.routers.proxad.net (2a01:e00:2:d::1) 47.402 ms 47.418 ms 47.402 ms • man route : good for common tasks (examples) 4 bzn-crs16-1-be2000.intf.routers.proxad.net (2a01:e00:1:6::1) 47.415 ms 47.398 ms 47.381 ms • route : displays routing table 5 londres-6k-1-po101.intf.routers.proxad.net (2a01:e00:1:a::2) 68.444 ms 70.827 ms * 6 2a01:5d8:e000:0:401:402:0:2 (2a01:5d8:e000:0:401:402:0:2) 65.581 ms 48.089 ms * • route add -net 2a00:1450:4007:803::/64 dev eth0 7 20gigabitethernet1-3.core1.ams1.ipv6.he.net (2001:7f8:1::a500:6939:1) 53.755 ms 53.701 ms 53.684 ms • route add -net 192.56.76.0 netmask 255.255.255.0 8 10gigabitethernet1-4.core1.lon1.he.net (2001:470:0:3f::1) 53.668 ms 53.653 ms 64.754 ms dev eth0 9 10gigabitethernet7-4.core1.nyc4.he.net (2001:470:0:128::1) 127.037 ms 116.096 ms 113.389 ms • route add default gw univ-gw 10 10gigabitethernet5-3.core1.lax1.he.net (2001:470:0:10e::1) 199.101 ms 192.953 ms 187.097 ms 11 lax-hpr--he-peer.cenic.net (2001:468:e00:801::1) 187.047 ms * * 12 dc-lax-core2--lax-px1-10ge-2.cenic.net (2607:f380::118:9a42:e981) 191.549 ms 191.456 ms 197.117 ms 13 2607:f380::118:9a42:e871 (2607:f380::118:9a42:e871) 190.425 ms * * 14 * * * 32 / 75 15 2607:f010:bff:f012:0:ff:fe00:1 (2607:f010:bff:f012:0:ff:fe00:1)33 / 75 235.370 ms 224.552 ms 193.341 ms 16 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 188.900 ms 192.547 ms 192.536 ms 17 core-2--csb1-1.backbone.ucla.net (2607:f010:bff:e007:2d0:3ff:fed3:7800) 3194.885 ms !H * * Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS BGP ARP protocol

• Border Gateway Protocol (RFC 1771) • IP : high level protocol • communication of routing tables between ISP • network card : mainly ethernet protocol • autonomous systems • correspondence between MAC addresses and IP addresses: • dampening • Very usefull ⇒ Address Resolution Protocol, part of IPv6 • openbsd implementation : openbgpd (ARPv6)

34 / 75 35 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS ARP table External connections

• use of a gateway # ip neigh • a gateway binds two diﬀerent networks fe80::207:cbff:fec3:6fd dev wlan0 lladdr 00:07:cb:c3:06:fd router STALE 192.168.1.254 dev wlan0 lladdr 00:07:cb:c3:06:fd STALE # arp Address HWtype HWaddress Flags Mask Iface 10.6.8.254 ether 00:07:EC:CD:18:CA C eth2

36 / 75 37 / 75

• we lie on origin of all outgoing packets • eth0 and eth1 in two diﬀerent networks • packets will be tagged as coming from gateway • host acting as a gateway • goal : connecting a subnet by using only 1 IP address • other hosts modify their routing tables • gateway in charge of correspondences • activate forwarding • note: the connected subnet should be a local network • echo 1 > /proc/sys/net/ipv4/ip_forward (192.168.X.X) • similar usage: 4-to-6, 6-to-4, 4-to-4-to-4, 6-to-6-to-6

38 / 75 39 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Masquerading Useful commands

• netstat : lists active sockets • Masquerading-Simple-HOWTO • lsof : lists processes using sockets • iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE • telnet : sending data interactively • iptables will be presented in details in following courses • netcat : like cat for network

40 / 75 41 / 75

1. static address (by hand or configuration file) 2. DHCP 1. static address (by hand or configuration file) 3. Zeroconf/autoconf (IPv6 link-local for the poor IPv4 guy) 2. Router Advertisement and automatic selection of the machine Zeroconf/autoconf ID (SLAAC) 3. DHCPv6 1. choose randomly a IP in 169.254.x.y range 2. Ask using ARP (broadcast) if somebody use it 3. If no answer comes, use it and defend it against following ARP request.

42 / 75 43 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Services Port number

Servers are executed as daemons • diﬀerent services on one host Examples of services • how to diﬀerentiate them ? • port number • print server • one service = one port + one protocol • web server • standard numbers (web=80, . . . ) • ftp server • entry points on a host • game servers Port number are not part of IP • ... Working on port number ⇒ understand the transport protocol

44 / 75 45 / 75

Services are commonly using well-known port numbers (/etc/services) Client side 1. create a socket 2. connect to remote host on given port • ftp : 21 3. connection accepted or refused • ssh : 22 4. communications following protocol • telnet : 23 Server side 1. create a socket • www : 80 2. bind socket to given port • pop3 : 110 3. accept or refuse incoming communications • imaps : 993 • ...

46 / 75 47 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Others protocols than TCP DHCP server

• centralize network conﬁguration • UDP : IP + port number • conﬁgures IP addresses, routing tables, DNS servers • SCTP : TCP with messages, multiple streams, multi-homing, 4 ways handshake • server : dhcpd • DCCP : UDP with TCP-like connection for congestion control • client : dhchcd, pump, dh_client (no resend of lost packet) • communication by broadcast Fully integrated in IPv6 (DHCPv6)

48 / 75 49 / 75

• sending : • routing from servers to servers • smtp protocol • usually apache (51%; Netcraft Survey) • servers : exim (46%; http://securityspace.com 2012 • many other servers (30+; 11%) survey), sendmail (25%), postfix (11%), exchange (9%) • IIS (20%), nginx (15%), caudium, yaws, araneida, boa • receiving : • installation from packages • receiving mail in the spool • /var/mail/wagnerf • configuration files in /etc/apache2 • through network : POP3, IMAP • many different modules 2 actors • MTA (mail server) : send, exchange, store email • MUA (thunderbird, webmail) : allow a user to read his email.

50 / 75 51 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS News server DNS server

Old school forum/data exchange. • messages exchanged in newsgroups • name resolver • port 119 • symbolic name ⇒ IP address • NNTP protocol : transfer between servers replicating • port 53 udp or tcp newsgroups • server : Bind • NNRP protocol : to read news • servers : INN, Dnews, . . .

52 / 75 53 / 75

• proxy : intermediate element between client and server • ssh (http://www.openssh.org) • handle the ﬂow of data • telnet • goals : • ﬁlter : forbid or remove • rlogin • cache : accelerate • anonymity : hide end users • authenticate : simple access to protected resources

54 / 75 55 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Proxy server Some web proxies

• squid • caching proxy • junkbuster • removes advertising from web pages

56 / 75 57 / 75

Lots of diﬀerent OS in the same network : • Linux (300 versions) + freebsd + macOS X (2-3 versions) + Various Unixes + Windows NT + Windows XP + Windows 2000 Server + Windows Vista + Windows 7 + Windows 8 • ...

58 / 75 59 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Goals Structure

• network ⇒ sharing of resources • printers • ﬁles • zip drive, backup services • ... • sharing access to internet • gateway + masquerading

60 / 75 61 / 75

• easy to put in place • NFS (Network File Sharing) • standard protocol • available on all systems • server exports file systems • immediate interconnection • client mounts remote file systems • • resources sharing ? completely transparent • kernel or user-space driver • unix standards • simple configuration compare to other solution • efficient (NFSv4+Kerberos vs AFS ?) • not (easily) compatible with windows

62 / 75 63 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between different OS Printers Other devices • cups, one daemon per host, implementing a three steps systems: 1. scheduler/spooler for collecting and routing documents 2. filter for converting the document into the language of the printer • often NFS is sufficient (e.g. for ZIP drive) 3. backends (ipp, http, ftp, usb) • special services for some devices: • /etc/cups/cupsd.conf • scanner : sane • all daemons are communicating • sound : nas, . . . • Web interface (http://localhost:631) • applications : X • but how to authenticate users ? In case of problem, add a level of indirection

• To avoid to set up the list of printer on all computer, the daemons exchange theirs known list of printers. • To avoid to set up the printer driver on all computer, translate the document format to the printer language if diﬀerent.

64 / 75 65 / 75

• NIS: Network Information Service • clients broadcast requests • centralize network conﬁguration • one map for each service table of administrative informations on one server • ypcat map to see one • only one manipulation to add a user on the whole network (or • user informations (uid, gid) disk, . . . ) • domain names • problems • host names in one domain • important network use • may not scale very well ⇒ NIS caches • NFS

66 / 75 67 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS LDAP Standards

• LDAP is similar to NIS Several organizations develop standards • TLS connection • ISOC (internet society) • storing X.500 tree of attributes/values • IETF (internet engineering task force) • ldap/ldaps port 389/636 • IAB (internet architecture board) • eg. dn:uid=toto,ou=people,dc=example,dc=org • RIPE (Réseaux IP Européens)

68 / 75 69 / 75

modiﬁcation in 1993/1994:

• development of the web • at ﬁrst : RFC (Request For Comments) • internet gains in users • proposals for new standards • development from trade • informative notes • netscape and microsoft add extensions to html • in the old times. . . • format wars (javascript/active X) • if RFC was OK ⇒ implemented ⇒ standard • no respect for standard procedure ⇒ loss of compatibilities for • decision from developers and community the internet

HTML5 HTML5 is, hopefully, more "old school" from this point of view (save

70 / 75 71 / 75 Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS Introduction IP addresses Toward IPv6 Host name Routing Services Integration between diﬀerent OS netbios / netbui SAMBA

• proprietary protocol • implementation of netbui for unix • development with NT (beginning 90) • client • developed by microsoft, no RFC • server • allows • set of tools • sharing of ﬁles • administration of windows domains • sharing of printers • mount windows disks • a little remote administration • mount unix disks under windows • initially undocumented • user accounts handling

72 / 75 73 / 75

• often installed by default • /etc/samba/smb.conf smbclient • ftp-like • network conﬁguration [global] • access to all windows resources • disks : smbmount • mount windows directories • accounts (homes) [homes] • careful with rights ! • public disks (applications) [public] • printers [printers]

74 / 75 75 / 75