VLAN und MPLS, Firewall und NAT, Wiederholung

Internet-Technologien (CS262)
VLAN und MPLS,
Firewall und NAT,
15.4.2015
Christian Tschudin
6-1
Departement Mathematik und Informatik, Universität Basel
Wiederholung
Unterschied CSMA/CD und CSMA/CA?
 Was ist das «Hidden Terminal» Problem?


In dieser Vorlesung:
 Zwei (LAN-)Virtualisierungstechniken (VLAN, MPLS)
 NAT und Firewall
Wireless, Mobile Networks
6-2
VLANs: motivation
consider:


Computer
Science
Electrical
Engineering
VLANs
Virtual Local
Area Network
switch(es) supporting
VLAN capabilities can
be configured to
define multiple virtual
LANS over single
physical LAN
infrastructure.
Computer
Engineering
CS user moves office to
EE, but wants connect to
CS switch?
single broadcast domain:
 all layer-2 broadcast
traffic (ARP, DHCP,
unknown location of
destination MAC
address) must cross
entire LAN
 security/privacy,
efficiency issues
Link Layer 5-3
port-based VLAN: switch ports
grouped (by switch management
software) so that single physical
switch ……
1
7
9
15
2
8
10
16
…
…
Electrical Engineering
(VLAN ports 1-8)
Computer Science
(VLAN ports 9-15)
… operates as multiple virtual switches
1
7
9
15
2
8
10
16
…
Electrical Engineering
(VLAN ports 1-8)
…
Computer Science
(VLAN ports 9-16)
Link Layer
5-4
Port-based VLAN
router
traffic isolation: frames to/from
ports 1-8 can only reach ports
1-8

 can also define VLAN based on
MAC addresses of endpoints,
rather than switch port
dynamic membership: ports
can be dynamically assigned
among VLANs

1
7
9
15
2
8
10
16
…
…
Computer Science
(VLAN ports 9-15)
Electrical Engineering
(VLAN ports 1-8)
forwarding between VLANS: done
via routing (just as with separate
switches)

 in practice vendors sell combined
switches plus routers
Link Layer
5-5
VLANS spanning multiple switches
1
7
9
15
1
3
5
7
2
8
10
16
2
4
6
8
…
Electrical Engineering
(VLAN ports 1-8)

…
Computer Science
(VLAN ports 9-15)
Ports 2,3,5 belong to EE VLAN
Ports 4,6,7,8 belong to CS VLAN
trunk port: carries frames between VLANS defined over
multiple physical switches
 frames forwarded within VLAN between switches can’t be vanilla
802.1 frames (must carry VLAN ID info)
 802.1q protocol adds/removed additional header fields for frames
forwarded between trunk ports
Link Layer
5-6
802.1Q VLAN frame format
type
preamble
dest.
address
source
address
data (payload)
CRC
802.1 frame
type
preamble
dest.
address
source
address
data (payload)
2-byte Tag Protocol Identifier
(value: 81-00)
CRC
802.1Q frame
Recomputed
CRC
Tag Control Information (12 bit VLAN ID field,
3 bit priority field like IP TOS)
Link Layer
5-7
Link layer, LANs: outline
5.1 introduction, services 5.5 link virtualization:
MPLS
5.2 error detection,
correction
5.6 data center
networking
5.3 multiple access
protocols
5.7 a day in the life of a
web request
5.4 LANs




addressing, ARP
Ethernet
switches
VLANS
Link Layer
5-8
Multiprotocol label switching (MPLS)

initial goal: high-speed IP forwarding using fixed
length label (instead of IP address)
 fast lookup using fixed length identifier (rather than
shortest prefix matching)
 borrowing ideas from Virtual Circuit (VC) approach
 but IP datagram still keeps IP address!
PPP or Ethernet
header
MPLS header
label
20
IP header
remainder of link-layer frame
Exp S TTL
3
1
5
Link Layer
5-9
MPLS capable routers
a.k.a. label-switched router
 forward packets to outgoing interface based only on
label value (don’t inspect IP address)

 MPLS forwarding table distinct from IP forwarding tables

flexibility: MPLS forwarding decisions can differ from
those of IP
 use destination and source addresses to route flows to
same destination differently (traffic engineering)
 re-route flows quickly if link fails: pre-computed backup
paths (useful for VoIP)
Link Layer 5-10
MPLS versus IP paths
R6
D
R4
R3
R5
A
R2

IP routing: path to destination determined
by destination address alone
IP router
Link Layer 5-11
MPLS versus IP paths
entry router (R4) can use different MPLS
routes to A based, e.g., on source address
R6
D
R4
R3
R5
A
R2


IP routing: path to destination determined
by destination address alone
IP-only
router
MPLS routing: path to destination can be
based on source and dest. address
MPLS and
IP router
 fast reroute: precompute backup routes in
case of link failure
Link Layer 5-12
MPLS signaling

modify OSPF, IS-IS link-state flooding protocols to
carry info used by MPLS routing,
 e.g., link bandwidth, amount of “reserved” link bandwidth

entry MPLS router uses RSVP-TE signaling protocol to set
up MPLS forwarding at downstream routers
RSVP-TE
R6
D
R4
R5
modified
link state
flooding
A
Link Layer 5-13
MPLS forwarding tables
in
label
out
label dest
10
12
8
out
interface
A
D
A
0
0
1
in
label
out
label dest
out
interface
10
6
A
1
12
9
D
0
R6
0
0
D
1
1
R3
R4
R5
0
0
R2
in
label
8
out
label dest
6
A
out
interface
in
label
6
outR1
label dest
-
A
A
out
interface
0
0
Link Layer 5-14
Wireless, Mobile Networks 6-15
Network Address Translation
(NAT)
Lieberherr and El Zarki:
Mastering Networks: An Internet Lab Manual
Addison-Wesley 2004
http://www.cs.virginia.edu/~itlab/book/
Relates to Lab 7.
Module about private networks and NAT.
Private Network
 Private IP network is an IP network that is not directly
connected to the Internet
 IP addresses in a private network can be assigned
arbitrarily.
 Not
registered and not guaranteed to be globally unique
 Generally, private networks use addresses from the
following experimental address ranges (non-routable
addresses):
 10.0.0.0
– 10.255.255.255
 172.16.0.0 – 172.31.255.255
 192.168.0.0 – 192.168.255.255
Private Addresses
H1
10.0.1.2
H3
H2
H4
10.0.1.2
10.0.1.3
10.0.1.1
10.0.1.3
10.0.1.1
Private network 1
Private network 1
Internet
R1
128.195.4.119
128.143.71.21
213.168.112.3
H5
R2
Network Address Translation (NAT)
 NAT is a router function where IP addresses (and possibly
port numbers) of IP datagrams are replaced at the
boundary of a private network
 NAT is a method that enables hosts on private networks
to communicate with hosts on the Internet
 NAT is run on routers that connect private networks to
the public Internet, to replace the IP address-port pair of
an IP packet with another IP address-port pair.
Basic operation of NAT
 NAT device has address translation table
Main uses of NAT (Overview)
 Pooling of IP addresses
 Supporting migration between network service
providers
 IP masquerading
 Load balancing of servers
Pooling of IP addresses
 Scenario: Corporate network has many hosts but only
a small number of public IP addresses
 NAT solution:
 Corporate network is managed with a private address
space
 NAT device, located at the boundary between the
corporate network and the public Internet, manages a
pool of public IP addresses
 When a host from the corporate network sends an IP
datagram to a host in the public Internet, the NAT
device picks a public IP address from the address pool,
and binds this address to the private address of the
host
Pooling of IP addresses
Private
network
Internet
= 128.143.71.21
Source
Destination = 213.168.112.3
= 10.0.1.2
Source
Destination = 213.168.112.3
NAT
device
private address: 10.0.1.2
public address:
H1
public address:
213.168.112.3
H5
Private
Address
Public
Address
10.0.1.2
Pool of addresses: 128.143.71.0-128.143.71.30
Supporting migration between network
service providers
 Scenario: In CIDR, the IP addresses in a corporate network
are obtained from the service provider. Changing the service
provider requires changing all IP addresses in the network.
 NAT solution:
Assign private addresses to the hosts of the corporate network
 NAT device has static address translation entries which bind the
private address of a host to the public address.
 Migration to a new network service provider merely requires an
update of the NAT device. The migration is not noticeable to the hosts
on the network.
Note:
 The difference to the use of NAT with IP address pooling is that the
mapping of public and private IP addresses is static.

Supporting migration between network
service providers
IP masquerading
 Also called:
Network address and port translation (NAPT),
port address translation (PAT).
 Scenario: Single public IP address is mapped to multiple
hosts in a private network.
 NAT solution:
 Assign private addresses to the hosts of the corporate
network
 NAT device modifies the port numbers for outgoing
traffic
IP masquerading
Load balancing of servers
 Scenario: Balance the load on a set of identical servers,
which are accessible from a single IP address
 NAT solution:
 Here, the servers are assigned private addresses
 NAT device acts as a proxy for requests to the server
from the public network
 The NAT device changes the destination IP address of
arriving packets to one of the private addresses for a
server
 A sensible strategy for balancing the load of the
servers is to assign the addresses of the servers in a
round-robin fashion.
Load balancing of servers
Concerns about NAT
 Performance:
 Modifying the IP header by changing the IP address
requires that NAT boxes recalculate the IP header
checksum
 Modifying port number requires that NAT boxes
recalculate TCP checksum
 Fragmentation
 Care must be taken that a datagram that is fragmented
before it reaches the NAT device, is not assigned a
different IP address or different port numbers for each
of the fragments.
Concerns about NAT (2)
 End-to-end connectivity:
 NAT
destroys universal end-to-end reachability of
hosts on the Internet.
 A host in the public Internet often cannot initiate
communication to a host in a private network.
 The problem is worse, when two hosts that are in a
private network need to communicate with each
other.
Concerns about NAT (3)
 IP address in application data:
 Applications
that carry IP addresses in the payload of
the application data generally do not work across a
private-public network boundary.
 Some NAT devices inspect the payload of widely used
application layer protocols and, if an IP address is
detected in the application-layer header or the
application payload, translate the address according to
the address translation table.
NAT and FTP
 Normal FTP operation
NAT and FTP
 NAT device with FTP support
NAT and FTP
 FTP in passive mode and NAT.
Firewalls
firewall
isolates organization’s internal net from larger Internet,
allowing some packets to pass, blocking others
public
Internet
administered
network
trusted “good guys”
Network Security
firewall
untrusted “bad guys”
Firewalls: why
prevent denial of service attacks:
 SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “real” connections
prevent illegal modification/access of internal data
 e.g., attacker replaces CIA’s homepage with something else
allow only authorized access to inside network
 set of authenticated users/hosts
three types of firewalls:
 stateless packet filters
 stateful packet filters
 application gateways
Network Security
Stateless packet filtering
Should arriving
packet be allowed in?
Departing packet let
out?
internal network connected to Internet via router firewall
 router filters packet-by-packet, decision to forward/drop
packet based on:
 source IP address, destination IP address
 TCP/UDP source and destination port numbers
 ICMP message type
 TCP SYN and ACK bits
Network Security

Stateless packet filtering: example


example 1: block incoming and outgoing datagrams with
IP protocol field = 17 and with either source or dest
port = 23
 result: all incoming, outgoing UDP flows and telnet
connections are blocked
example 2: block inbound TCP segments with ACK=0.
 result: prevents external clients from making TCP
connections with internal clients, but allows internal
clients to connect to outside.
Network Security
Stateless packet filtering: more examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP
address, port 80
No incoming TCP connections,
except those for institution’s
public Web server only.
Drop all incoming TCP SYN packets
to any IP except 130.207.244.203,
port 80
Prevent Web-radios from eating
up the available bandwidth.
Drop all incoming UDP packets except DNS and router broadcasts.
Prevent your network from being
used for a smurf DoS attack.
Drop all ICMP packets going to a
“broadcast” address (e.g.
130.207.255.255).
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired
traffic
Network Security
Access Control Lists
 ACL: table of rules, applied top to bottom to incoming
packets: (action, condition) pairs
action
source
address
dest
address
protocol
source
port
dest
port
allow
222.22/16
outside of
222.22/16
TCP
> 1023
80
allow
outside of
222.22/16
TCP
80
> 1023
ACK
allow
222.22/16
UDP
> 1023
53
---
allow
outside of
222.22/16
222.22/16
UDP
53
> 1023
----
deny
all
all
all
all
all
all
222.22/16
outside of
222.22/16
flag
bit
any
Network Security
Stateful packet filtering

stateless packet filter: heavy handed tool
 admits packets that “make no sense,” e.g., dest port =
80, ACK bit set, even though no TCP connection
established:
action
allow

source
address
dest
address
outside of
222.22/16
222.22/16
protocol
source
port
dest
port
flag
bit
TCP
80
> 1023
ACK
stateful packet filter: track status of every TCP connection
 track connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “makes sense”
 timeout inactive connections at firewall: no longer admit
packets
Network Security
Stateful packet filtering

ACL augmented to indicate need to check connection
state table before admitting packet
action
source
address
dest
address
proto
source
port
dest
port
allow
222.22/16
outside of
222.22/16
TCP
> 1023
80
allow
outside of
222.22/16
TCP
80
> 1023
ACK
allow
222.22/16
UDP
> 1023
53
---
allow
outside of
222.22/16
222.22/16
UDP
53
> 1023
----
deny
all
all
all
all
all
all
222.22/16
outside of
222.22/16
flag
bit
check
conxion
any
x
x
Network Security
Application gateways
gateway-to-remote
host telnet session
host-to-gateway
telnet session


filters packets on application
data as well as on
IP/TCP/UDP fields.
example: allow select internal
users to telnet outside.
application
gateway
router and filter
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating
from gateway.
Network Security
Firewalling with a 1:1 NAT
U of Basel has a1:1 NAT
(internal IP address == external IP address)
 Serves automatically as a simple firewall

 Only outgoing (TCP, UDP) sessions allowed

Independent from and additionally to the NAT box:
 IDS (intrusion detection system)
 DPI (deep packet inspection)
Wireless, Mobile Networks 6-45
Application gateways


filter packets on
application data as well as
on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside
host-to-gateway
telnet session
application
gateway
router and filter
gateway-to-remote
host telnet session
1. require all telnet users to telnet through gateway.
2. for authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. router filter blocks all telnet connections not originating
from gateway.
Network Security
Limitations of firewalls, gateways



IP spoofing: router can’t
know if data “really”
comes from claimed
source
if multiple app’s. need
special treatment, each has
own app. gateway
client software must know
how to contact gateway.
 e.g., must set IP
address of proxy in
Web browser
Network Security



filters often use all or
nothing policy for UDP
tradeoff: degree of
communication with
outside world, level of
security
many highly protected
sites still suffer from
attacks