1 / 50

Leftovers: MPLS, Multicast, Gateways and Firewalls, VPNs

Leftovers: MPLS, Multicast, Gateways and Firewalls, VPNs. Jean-Yves Le Boudec Fall 2009. Part 1: Firewalls. TCP/IP architecture separates hosts and routers network = packet transportation only private networks may want more protection “access control” one component is a firewall

sage
Download Presentation

Leftovers: MPLS, Multicast, Gateways and Firewalls, VPNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Leftovers: MPLS, Multicast, Gateways and Firewalls, VPNs Jean-Yves Le Boudec Fall 2009 1

  2. Part 1: Firewalls • TCP/IP architecture separates hosts and routers • network = packet transportation only • private networks may want more protection • “access control” • one component is a firewall • definition: a firewall is a system that • separates Internet from intranet: all traffic must go through firewall • only authorized traffic may go through • firewall itself cannot be penetrated • Components of a firewall • filtering router • application or transport gateway 2

  3. Filtering Routers • A router sees all packets and may do more than packet forwarding as defined by IP • filtering rules based on : • port numbers, protocol type, control bits in TCP header (SYN packets) • Example Internet intranet filtering router prot srce addr dest addr srce dest action port port 1 tcp * 198.87.9.2 >1023 23 permit 2 tcp * 198.87.9.3 >1023 25 permit 3 tcp 129.132.100.7 198.87.9.2 >1023 119 permit 4 * * * * * deny 3

  4. The example show 4 rules applied to the ports shown - rule 1 allows telnet connections from the outside to the machine 198.87.9.2 - rule 2 allows email to be sent to machine 198.87.9.3 - rule 3 allows news to be sent to machine 198.87.9.2, but only from machine 129.132.100.7 - rule 4 forbids all other packets. Designing the set of rules employed in a firewall is a complex task; the set shown on the picture is much simpler than a real configuration. Packet filtering alone offers little protection because it is difficult to design a safe set of rules and at the same time offer full service to the intranet users. 4

  5. Application Layer Gateways • Application layer gateway is a layer 7 intermediate system • normally not used according to the TCP/IP architecture • but mainly used for access control • also used for interworking issues • Principle: • proxy principle: viewed by client as a server and by server as a client • supports access control restrictions, authentication, encryption, etc B 2 GET xxx.. 1 GET xxx.. A HTTP client HTTP server gateway logic HTTP client HTTP server 4 data 3 data TCP/IP TCP/IP TCP/IP Internet intranet HTTP Gateway 5

  6. 1. User at A sends an HTTP request. It is not sent to the final destination but to the application layer gateway. This results from the configuration at the client. 2. The gateway checks whether the transaction is authorized. Encryption may be performed. Then the HTTP request is issued again from the gateway to B as though it would be originating from A. 3. A response comes from B, probably under the form of a MIME header and data. The gateway may also check the data, possibly decrypt, or reject the data. 4. If it accepts to pass it further, it is sent to A as though it would be coming from B. Application layer gateways can be made for all application level protocols. They can be used for access control, but also for interworking, for example between IPv4 and IPv6. 6

  7. Transport Gateway • Similar to application gateways but at the level of TCP connections • independent of application code • requires client software to be aware of the gateway Transport Gateway (SOCKS Server) A :1080 SYN SYN ACK 1 ACK B connection relay request to B :80 :80 SYN 3 2 SYN ACK OK ACK data relay 4 1 GET xxx.. data 7

  8. The transport gateway is a layer 4 intermediate system. The example shows the SOCKS gateways. SOKCS is a standard being defined by the IETF. 1. A opens a TCP connection to the gateway. The destination port is the well known SOCKS server port 1080. 2. A requests from the SOCKS server the opening of a TCP connection to B. A indicates the destination port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection request. 3. The SOCKS server opens a new TCP connection to B, port 80. A is informed that the connection is opened with success. 4. Data between A and B is relayed at the SOCKS server transparently. However, there are two distinct TCP connections with their own, distinct ack and sequence numbers. Compared to an application layer gateway, the SOCKS server is simpler because it is not involved in application layer data units; after the connection setup phase, it acts on a packet by packet level. Its performance is thus higher. However, it requires the client side to be aware of the gateway: it is not transparent. Netscape and Microsoft browsers support SOCKS gateways. 8

  9. Typical Firewalls Designs • An application / transport gateway alone can be used as firewall if it is the only border between two networks • A more general design is one or more gateways isolated by filtering routers intranet Internet Firewall = one dual homed gateway intranet Internet R1 R2 Firewall = gateways + sacrificial subnet 9

  10. Part 2:Connection Oriented NetworkingMPLS and ATM 10

  11. Contents 1. Connection Oriented network layer. ATM 2 .MPLS (Multi Protocol Label Switching) 11

  12. 1. Frame Relay, ATM • There exists a family of data networks which is very different from IP : carrier data networks • Frame Relay, ATM, X.25 • They use the Connection Oriented Network Layer • They were designed to be an alternative to IP • Failed in this goal • Used today as “super Ethernet” in IP backbones or at interconnection points • Being replaced by MPLS 12

  13. Connection Oriented Network Layer :Frame Relay, ATM, X.25 input conn Id output conn Id 3 3 1 2 2 2 1 2 input conn Id output conn Id 1 1 1 2 4 3 1 1 input conn Id output conn Id 1 1 2 1 Host C Host A 3 2 1 3 1 2 Switch S1 Switch S2 Switch S4 4 2 1 2 Host B Switch S3 13

  14. Connection oriented = similar to telephone. Connections are also called virtual circuits. • The connection oriented network layer uses connections that are known and controlled in all intermediate systems. Every packet carries a connection identifier which is either global (SNA) or local to a link (X.25, Frame Relay, ATM). • The packet forwarding function is simple, based on table lookup. • The control method involves • connection setup and release(building tables) • connection routing • Connection oriented networks usually implement some mechanisms to control the amount of data sent on one connection, thus limiting losses due to statistical multiplexing. Methods for that are: sliding window protocol, similar to that of TCP (X.25, SNA), and rate control (Frame Relay , ATM). • Connection oriented networks give better control over individual traffic flows and are thus used in public networks where tariffing is a key issue (X.25, Frame Relay). IBM network architectures are also connection oriented (SNA, APPN). ATM is a connection oriented network where emphasis is put on supporting both statistical multiplexing and non- statistical multiplexing. ATM packets have a small, fixed size and are called cells. 14

  15. ATM • ATM is a connection oriented network architecture • ATM packets (called cells) are small and fixed size (48 bytes of data + 5 bytes of header) • high performance at low cost • designed for very low delay • And for hrdware implementation of switching functions • The ATM connection identifier is called VPI/VCI (Virtual Path Identifier/Virtual Channel Identifier) • Frame relay is the same but with packets of variable size (up to 1500 B payload) 15

  16. ATM VPI/VCI switching 27 44 38 19 1 1 19 27 16 2 38 44 in VPI/VCI out VPI/VCI ATM cells header contains VPI/VCI 1 1 2 16 16 16

  17. ATM Adaption Layer variable length packet AAL5 in ATM adapter AAL5 in ATM adapter ATM switches cells • ATM can transport packets of size up to 64 KB • ATM Adaptation Layer segments and re-assembles • in ATM end points only 17

  18. IP over ATM: Classical IP H1 H2 2. VCC ATM Router Router 1. Address Resolution S ARP Server (Address Resolution) • classical IP uses ATM as a fast Ethernet • ATMARP finds ATM address • Like a telephone number, similar to IPv6 address --- not a VPI/VCI • InARP finds VPI/VCI • An ATMARP server is used: • H1 connects to S at boot time, by calling the ATM address of the ATMARP server • - with InARP, S and H1 identify their IP addresses • - when H1 has to send an IP packet to H2, it must find the ATM address of H2. H1 sends an ATMARP request to S. S responds with the ATM address of H2. H1 calls H2. When an ATM connection is established, InARP is used to confirm the IP addresses. 18

  19. Why ATM ? • Simplifies routing in large networks • IP needs very large routing tables in the core network • for every packet look up more that 100 000 entries • forwarding from the ISP point of view - just find the egress router • IP routing may ignore the real physical topology • ISP can put a router on the edge and use ATM/Frame Relay Virtual Path, switches in the middle • edge router selects the path based on the destination address • route look up done only once in the ISP network • but still scalability problems • Quality of Service • ATM can natively provide guaranteed service (allocate different rates to different ATM connections) • Used to share infrastructure (several operators or one network – virtual providers) • Also used to multiplex many users on an access network (cable, wireless) 19

  20. 2. MPLS IP over MPLS • MPLS node • CO switch • IP router • “Multi-Protocol Label Swapping” • Goal: integrate IP and CO layer in the same concept • “peer model” of integration • Unlike ATM or FR (used as layer 2 by IP) • Save one network • MPLS packets have a label added before IP header • An MPLS node acts as a combined router / CO intermediate system • MPLS table combines routing and label swapping 20

  21. MPLS example in out a/25 b/77 in out a/33 b/37 in out a/77 b/pop c/37 b/pop 30 129.88.3.3 33 129.88.3.3 37 129.88.3.3 129.88.3.3 src= 18.1.2.3 28 25 129.88.38.1 129.88.38.1 77 129.88.38.1 129.88.38.1 src= 122.1.2.3 FEC skipped in LIB src dst out * 128.178/15 b/70 * 129.88/16 b/70 in out a/70 b/25 d/28 b/25 d/30 c/33 8 a b b a 9 D A F 128.178/15 b a a b c 7 d c 5 C 6 129.88/16 3 E B 1 a 2 b b 4 a src dst out * 129.88/16 b/28 * 128.178/15 b/28 18/8 129.88/16 b/30 21

  22. An IP packet arrives, at MPLS node B, with source IP address 18.1.2.3 and destination IP address 129.88.3.3. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 30 in front of the IP packet and forward the packet to port b. • The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 33 and the packet forwarded to port c. • Similar • The packet arrives at node F. The table says that a packet arriving on port c with label 37 should be sent to port b and the label should be popped (removed). • The packet exits as an ordinary IP packet, without MPLS label. • An IP packet arrives, at MPLS node B, with source IP address 122.1.2.3 and destination IP address 129.88.38.1. It arrives from outside the MPLS cloud, as an ordinary IP packet. The combined routing/MPLS table at B says that, for this combination of source and destination address, B should push the label 28 in front of the IP packet and forward the packet to port b. • The packet arrives at node C. Since the packet has a label, the nodes looks for it in the table and finds that the label should be swapped to 77 and the packet forwarded to port b. • The packet’s label was removed by node F • Observe how after node C this packet’s path follows the same as the previous packet’s. 22

  23. MPLS Terminology FEC in out xxx a/70 b/25 yyy c/28 d/33 src dst out * 128.178/15 b/70 18/8 129.88/16 b/28 LSR (Label Switch Router) Ingress LER (Label Edge Router) Egress LER (Label Edge Router) 128.178/15 b a d c 129.88/16 FEC (Forward Equivalence Class) LIB (Label Information Base) LSP (Label Switched Path) FEC - Label Mapping 23

  24. Operation of MPLS • ingress LER classifies packets to identify FEC that determines a label; inserts the label (32 bits) • Labels may be stacked on top of labels • LSR switches based on the label if present, else uses IP routing • Forwarding Equivalence Classes (FEC) • group of IP packets, forwarded in the same manner, over the same path, and with the same forwarding treatment (priority) • FEC may correspond to • destination IP subnet • source and destination IP subnet • traffic class that LER considers significant • Label Switching tables can be built using a Label Distribution Protocol, which can be implemented as an addition to the routing protocol (e.g. OSPF, IGMP, BGP) 24

  25. Avoid Redistribution with MPLS 2.2.2.2 AS x R6 R5 E-BGP 2.2.20.1 • Alternative to redistribution or running I-BGP in all backbone routers: • Associate MPLS labels to exit pointsExample: • R2 creates a label switched path to 2.2.2.2 • At R2: Packets to 18.1/6 are associated with this label • R1 runs only IGP and MPLS – no BGP – only very small routing tables • Can be used to provide quality of service IGP MPLS I-BGP 18.1/16 R2 MPLS R1 AS z E-BGP R4 AS y To NEXT-HOP layer-2 addr 18.1/16 2.2.2.2 MPLS label 23 RIB and LIB at R2 25

  26. Facts to remember • There are other, non IP network layers that are connection oriented • With a CO network, there are connections and labels • Labels have only local significance, may be changed at every hop • They are used to carry IP traffic or telephony or to separate services • ATM is used as “super layer 2” • MPLS is similar but is combined at the networking layer 26

  27. La duréed'écouteestdésormaislimitée : sans action de votre part (un simple clic), la diffusion s'arrête au bout d'un temps déterminéselon les stations. En effet, pour nous, diffuseurs, les technologies actuellesimposent un coûtdépendant de la durée et du nombred'auditeurs. Plusieurséléments nous indiquentque les internautesayantaccès à l'internetillimité ne coupent pas l'écoute, lorsqu'ilsquittentleurordinateurallumé. Radio France ne peut continuer à financer pour celui qui n'écoute pas. C'estpourquoi nous avonsmis en place cesystème de confirmation, un peucontraignant, mais qui nous permet de mieuxcontrôler les coûts de diffusion. http://viphttp.yacast.net/V4/radiofrance/fip_bd.m3u Part 3: IP Multicast 27

  28. Contents • Multicast IP • Multicast routing protocols • Deployment 28

  29. 1. Internet (initial) group model 194.199.25.100 source host 1 multicast group 225.1.2.3 host 3 host 2 receiver 194.199.25.101 receiver 133.121.11.22 • Multicast/group communication • 1  n as well as n  m • Multicast addresses, IPv4 • 224.0.0.0 to 239.255.255.255 • 232/8 reserved for SSM (see later) • 224/4 • Multicast address, IPv6 • FF00::/8 • A multicast address is the logical identifier of a group • No topological information, does not give any information about where the destinations (listeners) are • Routers keep have to keep state information for each multicast address 29

  30. Internet (initial) group model • Open model • any host may belong to a multicast group • no authorization required • host may belong to many different groups • no restriction • source may send a packet to a group no matter if it belongs to the group or not • membership not required • group isdynamic • a host may subscribe or leave at any time • host (source/receiver) does not know the identity of group members • Groups may have different scope • use TTL: LAN (local scope), Campus/admin scoping 30

  31. hosts subscribe via IGMP join messages sent to router routers build distribution tree via multicast routing sources do not know who destinations are packet multiplication is done by routers 1 S sends packets to multicast address m; there is no member, the data is simply lost at router R5. 2 A joins the multicast address m. 3 R1 informs the rest of the network that m has a member at R1; the multicast routing protocol builds a tree. Data sent by S now reach A. 4 B joins the multicast address m. 5 R4 informs the rest of the network that m has a member at R4; the multicast routing protocol adds branches to the tree. Data sent by S now reach both A and B. IP Multicast Principles IGMP: join m to m 3 2 1 5 4 5 S Multicast routing A R1 R5 R2 B R4 31

  32. Using Multicast with IPv4 Sockets • Can only use UDP, does not work with TCP • Set TTL carefully • Sending to a multicast address: nothing special to do • Same as sending a packet to unicast address • Destination has to join explicitlysupported by socket option • in in.h:struct ip_mreq {struct in_addr imr_multiaddr; /* IP multicast address of group */struct in_addr imr_interface; /* local IP address of interface */}; • struct ip_mreq mreq;rc = setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *) &mreq, sizeof(mreq) ); • IN_MULTICAST(a) tests whether a is a multicast address 32

  33. Source Specific Multicast (SSM) • The IP multicast model supports many to many • network (multicast routing) must find all sources and route from them • A proposed alternative called SSM (Source Specific Multicast) • multicast group - a channel identified by: • {@source, @multicast} • single-source model • {S, M} and {S’, M} are disjoint • only S can send some traffic to {S, M} • destinations have to find who the sources are, not the network • host must learn source address out of band (Web page) • nm still possible with many 1 n channelsrequires source selection (host-to-router source and group request) • Include-Source list of IGMPv3 • MLD (Multicast Listener Discovery for IPv6), replacement of IGMP for IPv6 • IANA assigned 232/8 and FF3X::/96 33

  34. 2. Multicast Routing • There are many multicast routing protocols to choose from • What is the job ? • For every multicast address, build a shared distribution tree • This is (too) complex • A much simpler situation arises if we support only SSM 34

  35. PIM-SSM Channel (A, G) built between source and receiver PIM JOIN (A,G) JOIN (A, G) announced with IGMP A B C D E F 35

  36. PIM-SSM • = « Protocol Independent Multicast- Source Specific Multicast » • The « routing protocol » proposed for SSM • Router keeps (S, G) state for each source S and each multicast group address G • Tree is built by using unicast routing tables towards the source • PIM-JOIN messages sent from one router to upstream neighbour • There is no Path Computation algorithm, relies on routing tables built by unicast routing protocols 36

  37. 3. Deployment • IP multicast is implemented on research networks (Switch, Geant, etc) • Also used by specific environments (e.g. financial) • Not generally available (yet) to the general public in its general form • SSM multicast deployments are starting • Tunneling can be used to connect a non multicast capable network to a multicast capable one (MBONE) • within a multicast area: native multicast • in a tunnel: muticast packets are encapsulated in unicast IP packets unicast only routers source receiver R1 R2 multicast routers encapsulation dst = unicast @R2 decapsulation multicast routers IP dest=adr_R2 IP dest=mcast payload original packet 37

  38. There is not only IP Multicast … • Multicast can be performed at application layer • On a network offering no IP multicast support (today’s internet) • Examples: content distribution networks CDN node 2 Source CDN node 1 CDN node 4 CDN node 3 38

  39. Facts to remember • IP multicast allows to reduce traffic by controlled packet replication • Multicast routers are “stateful” • Initial multicast allows any source to send to a multicast address • Routing is complex • Source specific multicast is simpler to deploy • Application layer multicast can be used even without IP multicast • Multicast IP does not work with TCP • Ad-hoc “reliable multicast” protocols were developed 39

  40. Part 4Protocol Aspects of Security 40

  41. Protocol Aspects of Security • Security is a global issue, not covered in this lecture • We discuss here how security impacts the architecture, and the relation between layers • We review two examples • ssh • IPSEC and VPNs 41

  42. Anatomy of an SSH example POP server Email User Agent • First look at the configuration without SSH • Email user agent connects to POP server • 110 is the TCP port reserved for POP • 9876 is a ephemral port allocated to email user agent by the operating system pop 110 9876 TCP TCP IP IP IP network 1 S A 42

  43. Anatomy of an SSH example (2) POP server Email User Agent pop sshd ssh 22 110 9876 1234 3456 TCP TCP IP IP IP network 1 S A 43

  44. Anatomy of an SSH example (2) POP server Email User Agent • Assume A wants to use SSH to connect to the mail server S, using POPQ1: Why would A want this ?A1: to make sure that email between A and S is encrypted. Or because S is behind a firewall that does not accept TCP connections to ports other than ssh. • Q2: describe the content of a packet from A to B visible at point 1.A2: contains an encrypted block of data inside a TCP packet with srce port=22, dest port=3456, IP srce=A, IP dest=S pop sshd ssh 22 110 9876 1234 3456 TCP TCP IP IP IP network 1 S A back 44

  45. Assume A wants to use SSH to connect to the mail server S, using POPQ1: Why would A want this ?sshd is the ssh “daemon”, i.e the ssh server. It runs on S in this example. sshd listens to the well known port 22, reserved for ssh. • The user at A starts an ssh connection to S by launching the ssh client. The ssh client obtains a port number from the operating system (here: 3456). A opens a TCP connection from port 3456 to S, destination port 22. A can talk to S over this TCP connection (for example, the user at A can issue commands on S). • (port redirection) ssh at A opens a server port 1234. All packets received by ssh at A on port 1234 from localhost (green line) are sent to S, received by sshd at S, and sent again to S locally, to port 22. The user must decide which port on A is redirected to which port on S. The mapping so constructed is called an “SSH tunnel” • The email user agent at A must be instructed to connect to a POP server at IP address = localhost and server port number = 1234 • The traffic on the red TCP connection between A and S is encrypted. • Different connections (called “channels”) can be multiplexed on one single TCP connection between A and S. ssh implements a sliding window protocol on top of TCP, with fixed window size, one window per channel • Q2: describe the content of a packet from A to B visible at point 1. • This is only one specific example, there are many other possibilities. This example is redirection of local port (ssh on A redirects the port 1234 on A to 110 on S). It is possible to redirect a remote port as well, and UDP traffic can be redirected as well.solution 45

  46. ssh-connect • Multiple channels multiplexed into a single connection at the ssh-trans level • Channels identified by numbers on each end • Channels are flow-controlled • window size - amount of data to send ssh sshd CHANNEL_OPEN (id, w) CHANNEL_CONFIRM (id, w) CHANNEL_DATA (id) CHANNEL_WINDOW (id, w1) 46

  47. IPSEC and VPNs • Offers protection transparent to applications • Used to run applications designed for secure environment over unsecure one • example: WLAN access to EPFL network • example: video player to screen • Provides • authentication (AH header) • or authentication and confidentiality (ESP header) • used primarily today in tunnel mode • host to host mode also exists • basic building block for VPN 47

  48. IPSEC Tunnel Mode: Find Out how it works EPFL wireless LAN A VPN Router (IPSec server) B IP hdr IP data IP hdr ESP hdr IP hdr IP data encrypted Ethernet adapter Wireless Network Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 192.168.1.33 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : epfl.ch IP Address. . . . . . . . . . . . : 128.178.83.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 128.178.83.22 48

  49. IPSEC Tunnel Mode: Find Out how it works --Hints • What subnet does the secondary IP address 128.178.83.22 belong to ? • Host A has now two IP addresses. Why ? How are they used ? • What IP source address does an application on A use ? • Explain how packets from host B to host A find their way. solutions 49

  50. IPSEC Tunnel Mode: Find Out how it works --Solutions • What subnet does the secondary IP address 128.178.83.22 belong to ? • it is an EPFL subnet. The VPN router belongs to it. • Host A has now two IP addresses. Why ? How are they used ? • IP packets are generated by applications at A with source address 128.178.83.22, encrypted and encapsulated in IP packets with source address 192.168.1.33. This is a tunnel (= there is encapsulation ) . At the end of the tunnel, the VPN router decrypts the packets, and places them on the EPFL network • What IP source address does an application on A use ? • the EPFL address 128.178.83.22 • Explain how packets from host B to host A find their way. • The VPN router must perform proxy ARP – otherwise, same as access over a modem (see slide « Proxy ARP »). back 50

More Related