Networking Introduction

Richard Newsham (rnewsham)

Switching/Routing

Often confused
Can be handled by same device

Switch

A switch can be a dumb box
Simply connects all ports together so they can communicate
Does not determine where traffic goes mearly passes information from one interface to another

Router

Smarter than a switch
Directs information to the right location

How is data sent across a network

Packets
Data is encapsulated in packets with header information
Headers include information used for routing
Source, destination, checksum ...

TCP/UDP

TCP	UDP
Two way communication	Fire and forget
Guaranteed delivery	Can be lost
Large	Small
Slow	Fast
Data integrity required e.g. File copies	Frequent actions e.g Heartbeat/monitoring

TCP Packet

Source

Destination

Sequence number

Acknowledgment number

Data offset

Reservered

Flags

Window size

Checksum

Urgent pointer

Data

TCP Handshake

UDP

Source	Destination
Length	Checksum
Data

IPv4

32 bit/4 byte
2³² = 4,294,967,296 addresses
Represented by 4, 1 byte octets
1.2.3.4

IPv6

128bit/16 byte
2¹²⁸ ~3.4 x 10³⁸ addresses 340,282,366,920,938,463,463,374,607,431,768,211,456
Represented by 8 groups of 4 hexadecimal digits
Can be abbreviated by removing leading 0's and consecutive groups of 0's
2001:0db8:0000:0000:0000:ff00:0042:8329
-> 2001:db8::ff00:42:8329

MAC addresses

Media Access Control Address
Unique identifier for network interface
2⁴⁸ 281,474,976,710,656 addresses
6, 2character hex octets fc:aa:14:7b:eb:5a
First 3 octets define organisation that issued it
fc:aa:14 = Gigabyte
Last 3 are interface specific

CIDR/Subnets

Classless Inter-Domain Routing
Replaces old A/B/C classes which were too broad
Provides a flexible method of slicing up networks

/X	Netmask	Range	Addresses	Class
/32	255.255.255.255	10.0.0.1	1	D
/27	255.255.255.224	10.0.0.0 - 10.0.0.31	32
/24	255.255.255.0	10.0.0.0 - 10.0.0.255	256	C
/23	255.255.254.0	10.0.0.0 - 10.0.1.255	512
/16	255.255.0.0	10.0.0.0 - 10.0.255.255	65536	B
/8	255.0.0.0	10.0.0.0 - 10.255.255.255	16777216	A

Public/private

Private ranges

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Ports

Numeric identifier in packet header to allow routing to specific listner
16 bit number, range 0 - 65535
0-1024 are well known ports reserved for common services
High ports allocated temporarily known as ephemeral
IANA says 49152+, Linux 32768+, Windows <7 1025-5000

VLANS

Method for isolating traffic through the same interface
Packets tagged so each packet specific to a vlan
Putting an interface on a vlan isolates it from other traffic on same network
Useful for isolating a database or other servers which should not be on an open network

ARP

Address Resolution Protocol
Maps link layer to network layer
Typically MAC addresses to IP addresses

NAT

Network Address Translation
Allows multiple devices to share a single external IP address
Popular with ISPs for preserving IPv4 space
Modifies packet headers to allow routing
Port forwarding required to expose services externally
Causes problems with some communication protocols such as VPN

Bridging

Used to transparently link two networks
Can be physical device connecting networks
More commanly seed as a software bridge
Used in virtualisation/docker hosts to create multiple virtual interfaces connected to the hosts network

Subnet structure

10.0.0.0/29, Netmask 255.255.255.248

10.0.0.0 - gateway
10.0.0.1 - 10.0.0.6 usable addresses
10.0.0.7 - broadcast

Netmask

Is an inverse representation of the IP addresses in the range
255.255.255.248 inverted would be 0.0.0.7
255.255.255.0 inverted would be 0.0.0.255

Gateway

Can be any address in the range but is typically the first address.
This is the address through which any device in the subnet will communicate

Broadcast

The last address in the range
Used to send broadcast packets to the whole subnet
On receiving a broadcast the device reports back its MAC and IP for ARP

Why subnet

Reduce complexity in routing tables
Network isolation
Address re-use

Linux networking

/etc/resolv.conf

$ cat /etc/resolv.conf 
# Generated by NetworkManager
search foo.com
nameserver 192.168.54.21
nameserver 192.168.54.20

Search defines domains to search in so doing a lookup for dev will check dev.foo.com
nameserver fields define which nameservers to use to resolve DNS queries.

/etc/hosts

$ cat /etc/hosts
127.0.0.1 localhost

192.168.1.222 smoothie1.rjn

Contains mappings of ip address to hostname
Takes precedence over DNS
Assign memorable names to test machines
Overide DNS for a domain

ip addr

# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default 
	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
	inet 127.0.0.1/8 scope host lo
		valid_lft forever preferred_lft forever
	inet6 ::1/128 scope host 
		valid_lft forever preferred_lft forever
2: ethA:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
	link/ether 08:00:27:33:c1:af brd ff:ff:ff:ff:ff:ff
	inet 192.168.1.222/24 brd 192.168.1.255 scope global ethA
		valid_lft forever preferred_lft forever

Gives interface, mac, ip/subnet, broadcast

ip route

# ip route
109.169.1.64/27 dev eth1  proto kernel  scope link  src 109.169.1.76
192.168.1.0/24 via 10.0.5.100 dev eth0
10.0.0.0/16 dev eth0  proto kernel  scope link  src 10.0.7.1
default via 109.169.1.65 dev eth1

Gives: subnet, device, via, source

DNS

Directory Name Service
Responsible for identifying addresses of machines by hostname
Either for human readability or more modern cases of container orchastration such as Kubernetes

Records

NS, A, CNAME, MX, TXT, SOA

A Records


@    IN A  192.168.1.4
*    IN A  192.168.1.4
dev  IN A  10.0.0.1

@ is the root domain
* is a wildcard for any subdomain
The most common record maps an address to a hostname.
AAAA records are the IPv6 equivalent

CNAME Records


home       IN CNAME  rnewsham.dynamic-dns.net.
smooithe1  IN CNAME  home

Maps a hostname to another hostname
"." terminated means canonical name, without it maps back to subdomain on same domain.
Useful for pointing multiple subdomains at single A record so if IP changes only one record needs to be changed

MX Records

@  IN MX 10 mail.foo.com
@  IN MX 20 backup.mail.foo.com

Defines the host for email delivery
Has numeric priority level to allow for backup mail servers

TXT Records

20170625._domainkey IN TXT  "k=rsa; p=MIGfMAeMA...urIuZxt6pAG/ZwIDAQAB"
@                   IN TXT  "v=spf1 ip4:109.169.1.64/27  a -all"
_dmarc              IN TXT  "v=DMARC1;p=quarantine;pct=100;rua=mailto:rua@foo.com; ruf=ruf@foo.com"
_acme-challenge     IN TXT  "wJmKXbuLlKiyOkMuY2qeaE6RDw_5orlYwDZsDpkb42I"

Allows storing of text on a subdomain
Used for email identification e.g SPF, DKIM, DMARC
SSL providers often require a key to be added to verify domain ownership

SOA Records

foo.com. IN SOA ns1.foo.com. admin.foo.com. (
	2018080151  ; Serial
	10800       ; Refresh
	3600        ; Retry
	604800      ; Expire
	3600 )      ; TTL

Serial numeric id, has to be incremented for each zone update
Refresh,Retry,Expire are for master/slave nameserver zone replication
TTL defines how long caching nameservers should cache records for

Nameservers

Two main configurations caching and authorative
Work as a chain answering and issuing dns queries
Bind used to be most popular, many others e.g Dnsmasq

Resolution

Resolving dns works in stages breaking a domain into sections www. | foo. | com | .
Each section is queried to get NS for next level

Address	Server asked	Answer
.	Hard coded	root nameservers
com.	root nameservers	gtld nameservers
foo.com.	gtld nameservers	domains nameservers
www.foo.com.	domains nameservers	A 1.2.3.4

Tools

ping


# ping google.com
PING google.com (172.217.23.14) 56(84) bytes of data.
64 bytes from lhr35s01-in-f14.1e100.net (172.217.23.14): icmp_seq=1 ttl=53 time=16.3 ms
64 bytes from lhr35s01-in-f14.1e100.net (172.217.23.14): icmp_seq=2 ttl=53 time=16.6 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.368/16.514/16.660/0.146 ms

Good packet loss test
1000 packets, quietly (don't show each packet details), 0.01 seconds apart

ping -c 1000 -q -i 0.01 google.com
PING google.com (172.217.23.14) 56(84) bytes of data.	
--- google.com ping statistics ---
1000 packets transmitted, 1000 received, 0% packet loss, time 12030ms
rtt min/avg/max/mdev = 12.669/13.332/27.358/1.114 ms pipe 2

traceroute

$ traceroute -q 1 google.com
traceroute to google.com (216.58.201.46), 30 hops max, 60 byte packets
1  _gateway (192.168.1.254)  0.700 ms
2  *
3  31.55.185.177 (31.55.185.177)  10.126 ms
4  31.55.185.176 (31.55.185.176)  11.828 ms
5  core1-hu0-16-0-8.colindale.ukcore.bt.net (213.121.192.20)  12.276 ms
6  peer2-et-1-1-0.redbus.ukcore.bt.net (62.172.103.45)  12.490 ms
7  109.159.253.73 (109.159.253.73)  13.211 ms
8  *
9  64.233.175.154 (64.233.175.154)  11.753 ms
10  108.170.246.175 (108.170.246.175)  13.488 ms
11  lhr35s04-in-f14.1e100.net (216.58.201.46)  12.649 ms

telnet


$ telnet test.simperl.com 80
Trying 109.169.1.76...
Connected to test.simperl.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: test.simperl.com

HTTP/1.1 200 OK
Date: Fri, 07 Sep 2018 11:55:23 GMT
Server: Apache/2.4.27 (Red Hat) mod_fcgid/2.3.9 OpenSSL/1.0.1e-fips
X-Clacks-Overhead: GNU Terry Pratchett
Content-Type: text/html; charset=ISO-8859-1

Connection closed by foreign host.

host

$ host simperl.com
simperl.com has address 109.169.1.76
simperl.com mail is handled by 10 mail.simperl.com.
$ host -t ns smoothwall.com
smoothwall.com name server lee.ns.cloudflare.com.
smoothwall.com name server may.ns.cloudflare.com.
$ host -t a -d www.simperl.com
Trying "www.simperl.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24242
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.simperl.com.               IN      A

;; ANSWER SECTION:
www.simperl.com.        3569    IN      A       109.169.1.76

dig

dig @ns1.simperl.com www.simperl.com A
...
;; QUESTION SECTION:
;www.simperl.com.               IN      A
;; ANSWER SECTION:
www.simperl.com.        3600    IN      A       109.169.1.76
;; AUTHORITY SECTION:
simperl.com.            3600    IN      NS      ns1.simperl.com.
simperl.com.            3600    IN      NS      ns2.simperl.com.
;; ADDITIONAL SECTION:
ns1.simperl.com.      1800    IN      A       109.169.1.71
ns2.simperl.com.      1800    IN      A       109.169.1.72
...

tcpdump

Suppress name and serivice name lookups -nn, Output packet data content as ASCII -A, Interface -i eth0, Port 80,

# tcpdump -nn -A -i eth0 port 80

All trafic except for port 22 and not from 192.168.49.1

# tcpdump -nn -i eth0 port not 22 and host not 192.168.49.1

Useful stuff

http://www.subnet-calculator.com/cidr.php
https://macvendors.com/