Archive for December 2011

Home » Archive for December 2011

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is used as the transport protocol for network management. Network management consists of network management stations communicating with network elements such as hosts, routers, servers, or printers. The agent is the software on the network element (host, router, printer) that runs the network management software. Therefore when the word agent is used it is referring to the network element. The agent will store information in a management information base (MIB). Management software will poll the various network devices and get the information stored in them. RFC 1155, 1157, and 1213 define SNMP with RFC 1157 defining the protocol itself. The manager uses UDP port 61 to send requests to the agent and the agent uses UDP port 62 to send replies or messages to the manager. The manager can ask for data from the agent or set variable values in the agent. Agents can reply and report events.

There are three supporting pieces to TCP/IP network management:

Management Information BASE (MIB) specifies variables the network elements maintain.
A set of common structures and a way to reference the variables in the database.
The protocol used to communicate between the manager and the network element agent which is SNMP.

SNMP collects information two ways:

The devices on the network are polled by management stations.
Devices send alerts to SNMP management stations. The public community may be added to the alert list so all management stations will receive the alert.

SNMP must be installed on the devices to do this. SNMP terms:

Baseline - A report outlining the state of the network.
Trap - An alert that is sent to a management station by agents.
Agent - A program at devices that can be set to watch for some event and send a trap message to a management station if the event occurs.

The network manager can set the threshold of the monitored event that will trigger the sending of the trap message. SNMP enables counters for monitoring the performance of the network used in conjunction with Performance Monitor.

SNMP Communities

An SNMP community is the group that devices and management stations running SNMP belong to. It helps define where information is sent. The community name is used to identify the group. A SNMP device or agent may belong to more than one SNMP community. It will not respond to requests from management stations that do not belong to one of its communities. SNMP default communities are:

Write = private
Read = public

SNMP Communities

Write = private
Read = public

SNMP Security

SNMP should be protected from the internet with a firewall. Beyond the SNMP community structure, there is one trap that adds some security to SNMP.

Send Authentication Trap - When a device receives an authentication that fails, a trap is sent to a management station.

Other configuration parameters that affect security are:

Accepted Community Names - Only requests from computers in the list of community names will be accepted.
Accept SNMP Packets from Any Host - This is checked by default. Setting specific hosts will increase security.
Only Accept SNMP Packets from These Hosts - Only requests from hosts on the list of IP addresses are accepted. Use IP, or IPX address or host name to identify the host.

SNMP Message Types

There are five types of messages exchanged in SNMP. They are referred to by Protocol Data Unit (PDU) type.

PDU Type	Name	Description
0	get-request	Get one or more variables .(manager to element)
1	get-next-request	Get next variable after one or more specified variables. (manager to element)
2	set-request	Set one or more variables. (manager to element)
3	get-response	Return value of one or More variables. (element to manager)
4	trap	Notify manager of an event. (element to manager)

The SNMP message with PDU type 0-3 consists of:

Version of SNMP
Community - A clear text password character string
PDU type
Request ID - Used to associate the request with the response. For PDU 0-2, it is set by the manager.

error status - An integer sent by the agent to identify an error condition

Error	Name	Description
0	no error	OK
1	too big	Reply does not fit into one message
2	no such name	The variable specified does not exist
3	bad value	Invalid value specified in a set request.
4	read only	The variable to be changed is read only.
5	general error	General error

error index - Specifies which variable was in error when an error occurred. It is an integer offset.
name - The name of the variable (being set or read).
value - The value of the variable (being set or read)
any other names and values to get/set

The SNMP message with PDU type 4 (trap) consists of:

PDU type
Enterprise - The agents OBJECT IDENTIFIER or system objects ID. Falls under a node in the MIB tree.
agent addr - The IP address of the agent.

Trap type - Identifies the type of event being reported.

Trap Type	Name	Description
0	cold start	Agent is booting
1	warm start	Agent is rebooting
2	link down	An interface has gone down
3	link up	An interface has come up
4	authentification failure	An invalid community (password) was received in a message.
5	egp neighbor loss	An EGP peer has gone down.
6	enterprise specific	Look in the enterprise code for information on the trap

Specific code - Must be 0.
Time stamp - The time in 1/100ths of seconds since the agent initialized.
name
Value
Any other names and values

Types of data used:

INTEGER - Some have minimum and maximum values.
OCTET STRING - The number of bytes in the string is before the string.
DISPLAY STRING - Each byte must be an ASCII value
OBJECT IDENTIFIER - Specifies a data type allocated by an organization with responsibility for a group of identifiers. A sequence of integers separated by decimals which follow a tree structure.
NULL - Used as the value of all variables in a get request.
IpAddress - A 4 byte long OCTET STRING. One byte for each byte of the IP address.
PhysAddress - A 6 byte octet string specifying an ethernet or hardware address.
Counter - A 32 bit unsigned integer
GaugeAn unsigned 32 bit integer with a value that can increase or decrease but wont fall below a minimum or exceed a maximum.
TimeTicks - Time counter. Counts in 1/100 of seconds.
SEQUENCE - Similar to a programming structure with entries of type IPAddress called udpLocalAddress and type INTEGER called udpLocalPort.
SEQUENCE OF - An array with elements with one type.

The MIB data structure RFC 1213

In the above list the data type "OBJECT IDENTIFIER" is listed as a part of the management information database. These object identifiers are referenced very similar to a DNS tree with a directory at the top called root. Each node in the tree is given a text name and is also referenced numerically similar to IP addresses. There are multiple levels in the tree with the bottom level being variables, and the next one up is called group. The packets sent in SNMP use numeric identifiers rather than text. All identifiers begin with iso(1).org(3).dod(6).internet(1).mgmt(2).mib(1). Numerically, that is 1.3.6.1.2.1. In text it is "iso.org.dod.internet.mgmt.mib". Under mib are the following groups. The information in these groups is not complete and you should refer to the RFC for full information.

system
1. sysDesc (DisplayString) - Description of entity
2. sysObjectID (ObjectID) - Vendors ID in the subtree (1.3.6.1.4.1.
3. sysUPTime (Timer) - Time the system has been up
4. sysContact (DisplayString) - Name of contact person
5. sysName (DisplayString) - Domain name of the element such as mymachine.mycompany.com
6. sysLocation (DisplayString) - Physical location of the element.
7. sysServices 0x1-physical, 0x02-datalink, 0x04-internet, 0x08 end to end, 0x40-application. If the bit is set the service is provided
interfaces
1. ifNumber (INTEGER) - Number of network interfaces
2. ifTable (table)
  1. ifIndex
  2. ifDescr - Description of interface
  3. ifType - 6=ethernet, 7=802.3 ethernet, 9=802.5 token ring, 23 = PPP, 28=SLIP
  4. ifMtu
  5. ifSpeed - Bits/second
  6. ifPhysAddress
  7. ifAdminStatus - Desired state of interface 1=up, 2=down, 3=testing
  8. ifOperStatus - Current state of interface 1=up, 2=down, 3=testing
  9. ifLastchange
  10. ifInOctets - Total bytes received
  11. ifInUcastPkts
  12. ifInNUcastPkts
  13. ifInDiscards
  14. ifInErrors
  15. ifInUnknownProtos
  16. ifOutOctets
  17. ifOutUcastPkts
  18. ifOutNUcastPkts
  19. ifOutDiscards
  20. ifOutErrors
  21. ifOutQLen
  22. ifSpecific
at - Address translation group
1. atIfIndex (INTEGER) - Interface number
2. atPhysAddress (PhyAddress)
3. atNetAddress (NetworkAddress) - IP address
ip
1. ipForwarding
2. ipDefaultTTL (INTEGER)
3. ipInReceives (counter)
4. ipInHdrErrors (counter)
5. ipInAddrErrors (counter)
6. ipForwDatagrams (counter)
7. ipInUnknownProtos (counter)
8. ipInDiscards (counter)
9. ipInDelivers (counter)
10. ipOutRequests (counter)
11. ipOutDiscards (counter)
12. ipOutNoRoutes (INTEGER)
13. ipReasmTimeout (counter)
14. ipReasmReqds (counter) - Number of IP fragments received that need to be reassembled.
15. ipReasmOKs (counter)
16. ipReasmFails (counter)
17. ipFragOKs (counter)
18. ipFragFails (counter)
19. ipFragCreates (counter)
20. ipRoutingDiscards (counter)
21. ipAddrTable (table)
  1. ipAddrEntry (index)
    1. ipAdEntAddr
    2. ipAdEntIfIndex
    3. ipAdEntNetMask
    4. ipAdEntBcastAddr
    5. ipAdEntReasmMaxSize
icmp
tcp
udp
1. udpInDatagrams (counter) - UDP datagrams delivered to user processes.
2. udpNoPorts (counter) - UDP datagrams which were not received at the port since there was no application to receive it.
3. udpInErrors (counter) - Number of UDP datagrams not delivered for reasons other than no applications available to receive them.
4. udpOutDatagrams (counter) - Number of UDP datagrams sent.
5. udpTable (table)
  1. udpEntry - Specifies the table entry number
    1. udpLocalAddress
    2. udpLocalPort

The ordering of data in the MIB is numeric. When the getnext function is used it gets the next data based on the numeric ordering.

http://www.comptechdoc.org/independent/networking/guide/netsnmp.html

Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used to send mail across the internet. There are four types of programs used in the process of sending and receiving mail. They are:

MUA - Mail users agent. This is the program a user will use to type e-mail. It usually incorporates an editor for support. The user types the mail and it is passed to the sending MTA.
MTA - Message transfer agent is used to pass mail from the sending machine to the receiving machine. There is a MTA program running on both the sending and receiving machine. Sendmail is a MTA.
LDA - Local delivery agent on the receiving machine receives the mail from its MTA. This program is usually procmail.
Mail notifier - This program notifies the recipient that they have mail. Normally this requires two programs, biff and comsat. Biff allows the administrator or user to turn on comsat service.

The MTA on both machines use the network SMTP (simple mail transfer protocol) to pass mail between them, usually on port 25.

Other components of mail service include:

Directory services - A list of users on a system. Microsoft provides a Global Address List and a Personal Address Book.
Post Office - This is where the messages are stored.

Mail Protocols

SMTP - Simple Mail Transport Protocol is used on the internet, it is not a transport layer protocol but is an application layer protocol.
POP3 - Post Office Protocol version 3 is used by clients to access an internet mail server to get mail. It is not a transport layer protocol.
IMAP4 - Internet Mail Access Protocol version 4 is the replacement for POP3.
MIME - Multipurpose Internet Mail Extension is the protocol that defines the way files are attached to SMTP messages.
X.400 - International Telecommunication Union standard defines transfer protocols for sending mail between mail servers.
MHS - Message Handling Service by Novell is used for mail on Netware networks.

Directory Services

Lightweight Directory Access Protocol (LDAP)
X.500 - This is a recommendation outlining how an organization can share objects and names on a large network. It is hierarchical similar to DNS, defining domains consisting of organizations, divisions, departments, and workgroups. The domains provide information about the users and available resources on that domain, This X.500 system is like a directory. Its recommendation comes from the International Telegraph and Telephone Consultative Committee (CCITT)

Mail API

Mail application programming interfaces (APIs) allow e-mail support to be integrated into application programs.

MAPI - Microsoft's Messaging API which is incorporated throughout Microsoft's office products supports mail at the application level
VIM - Vendor-Independent Messaging protocol from Lotus is supported by many vendors exclusive of Microsoft.

Three parts of a mail message:

Envelope - Includes recipient and sender addresses using the MAIL and RCPT commands.
Headers - Each header has a name followed by a colon and its value. Some headers are From, Date, Reply To, Received, Message ID, To, and Subject.
Body - The contents of the message sent in 7 bit ASCII code.

SMTP Commands:

HELO - Sent by client with domain name such as mymachine.mycompany.com.
MAIL - From <myself@mymachine.mycompany.com>
RCPT - To <myfriend@theirmachine.theirorg.org>
DATA - Sends the contents of the message. The headers are sent, then a blank line, then the message body is sent. A line with "." and no other characters indicates the end of the message.
QUIT

If you recall from the DNS section mail servers are specified in DNS configuration files as follows:

dept1.mycompany.com.  IN  MX  5  mail.mycompany.com.  
dept1.mycompany.com.  IN  MX  10  mail1.mycompany.com.  
dept1.mycompany.com.  IN  MX  15  mail2.mycompany.com.

The host dept1.mycompany.com may not be directly connected to the internet or network but may be connected periodically using a PPP line. The servers mail, mail1, and mail2 are used as mail forwarders to send mail to the host dept1. The one with the lowest number, 5, is normally used for sending the mail, but the others are used when the first one or ones are down.

http://www.comptechdoc.org/independent/networking/guide/netmail.html

Dynamic Routing

Dynamic routing performs the same function as static routing except it is more robust. Static routing allows routing tables in specific routers to be set up in a static manner so network routes for packets are set. If a router on the route goes down the destination may become unreachable. Dynamic routing allows routing tables in routers to change as the possible routes change. There are several protocols used to support dynamic routing including RIP and OSPF.

Routing cost

Counting route cost is based on one of the following calculations:

Hop count - How many routers the message must go through to reach the recipient.
Tic count - The time to route in 1/18 seconds (ticks).

Dynamic routing protocols do not change how routing is done. They just allow for dynamic altering of routing tables.

There are two classifications of protocols:

IGP - Interior Gateway Protocol. The name used to describe the fact that each system on the internet can choose its own routing protocol. RIP and OSPF are interior gateway protocols.
EGP - Exterior Gateway Protocol. Used between routers of different systems. There are two of these, the first having the same name as this protocol description:
1. EGP - Exterior Gateway Protocol
2. BGP - Border Gateway Protocol.

The daemen "routed" uses RIP. The daemon "gated" supports IGP's and EGP's

Route Discovery Methods

Distance vector - Periodically sends route table to other routers. Works best on LANs, not WANs.
Link-state - Routing tables are broadcast at startup and then only when they change. OSPF uses link-state.

Routing Information Protocol (RIP)

The RIP RFC is 1058.
The routing daemon daemon adds a routing policy to the system. If there are multiple routes to a destination, it chooses the best one. The RIP message can con contain information on up to 25 routes. The RIP message contains the following components:

Command
Version - Normally 1 but set to 2 for RIP version 2.
family - Set to 2 for IP addresses.
IP address - 32 bit IP address
Metrics - Indicate the number of hops to a given network, the hop count.

RIP sends periodically broadcasts its routing table to neighboring routers. The RIP message format contains the following commands:

1 - request
2 - reply
3 & 4 - obsolete
5 - poll entry
6 - Asks for system to send all or part of routing table

When the daemon "routed" starts, it sends a request out all its interfaces for other router's routing tables. The request is broadcast if the network supports it. For TCP/IP the address family in the message is normally 2, but the initial request has address family set to 0 with the metric set to 16.

Regular routing updates are sent every 30 seconds with all or part of the route table. As each router sends routing tables (advertises routes to networks its NICs interface to) routes are determined to each network.

Drawbacks of RIP:

RIP has no knowledge of subnet addressing
It takes a long time to stabilize after a router or link failure.
Uses more broadcasting than OSPF requiring more network bandwidth.

RIP Version 2

Defined by RFC 1388. It passes further information in some of the fields that are set to 0 for the RIP protocol. These additional fields include a 32 bit subnet mask and a next hop IP address, a routing domain, and route tag. The routing domain is an identifier of the daemon the packet belongs to. The route tags supports EGPs.

Open Shortest Path First (OSPF)

OSPF (RFC 1257) is a link state protocol rather than a distance vector protocol. It tests the status of its link to each of its neighbors and sends the acquired information to them. It stabilizes after a route or link failure faster than a distance vector protocol based system. OSPF uses IP directly, not relying on TCP or UDP. OSPF can:

Have routes based on IP type of service (part of IP header message) such as FTP or Telnet.
Support subnets.
Assign cost to each interface based on reliability, round trip time, etc.
Distribute traffic evenly over equal cost routes.
Uses multicasting.

Costs for specific hops can be set by administrators. Adjacent routers swap information instead of broadcasting to all routers.

Border Gateway Protocol (BGP)

Described by RFC 1267, 1268, and 1497. It uses TCP as a transport protocol. When two systems are using BGP, they establish a TCP connection, then send each other their BGP routing tables. BGP uses distance vectoring. It detects failures by sending periodic keep alive messages to its neighbors every 30 seconds. It exchanges information about reachable networks with other BGP systems including the full path of systems that are between them.

http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html

Internet Group Management Protocol

Internet Group Management Protocol (IGMP) is the protocol used to support multicasting. To use multicasting, a process on a host must be able to join and leave a group. A process is a user program that is using the network. Group access is identified by the group address and the interface (NIC). A host must keep track of the groups that at least one process belongs to and the number of processes that belong to the group. IGMP is defined in RFC 1112.

IGMP messages are used by multicast routers to track group memberships on each of its networks. It uses these rules:

The first time a process on a host joins a multicast group, the host will send an IGMP report. This means that every time the host needs to receive messages from a new group to support its processes, it will send a report.
Multicast routers will send IGMP queries regularly to determine whether any hosts are running processes that belong to any groups. The group address of the query is set to 0, the TTL field is set to 1, and the destination IP address is 224.0.0.1 which is the all hosts group address which address all the multicast capable routers and hosts on a network.
A host sends one IGMP response for each group that contains one or more processes. The router expects one response from each host for each group that one or more of its processes require access to.
A host does not send a report when its last process leaves a group (when the group access is no longer required by a process). The multicast router relies on query responses to update this information.

IGMP is defined in RFC 1112. Hosts and routers use IGMP to support multicasting. Multicast routers must know which hosts belong to what group at any given point of time. The IGMP message is 8 bytes. consisting of:

Bits 0 to 3 - IGMP version number
Bits 4 to 7 - IGMP type. 1=query sent by a multicast router. 2 is a response sent by a host.
Bits 8 to 15 - unused
Bits 16 to 31 - Checksum
The last 4 bytes - 32 bit group address which is the same as the class D IP address.

IGMP message formats are encapsulated in an IP datagram which contain a time to live (TTL) field. The default is to set the TTL field to 1 which means the datagram will not leave its subnetwork. an application can increase its TTL field in a message to locate a server distance in terms of hops.

Addresses from 224.0.0.0 to 224.0.0.255 are not forwarded by multicast routers since these addresses are intended for applications that do not need to communicate with other networks. Therefore these addresses can be used for group multicasting on private networks with no concern for addresses being used for multicasting on other networks.

Network Broadcasting and Multicasting

Network interface cards are usually programmed to listen for three types of messages. They are messages sent to their specific address, messages broadcast to all NICs, and messages that qualify as a multicast for the specific card. There are three types of addressing:

Unicast - A transmission to a single interface card.
Multicast - A transmission to a group of interface cards on the network.
Broadcast - A transmission to all interface cards on the network. RFC 919 and 922 describe IP broadcast datagrams.
- Limited Broadcast - Sent to all NICs on the some network segment as the source NIC. It is represented with the 255.255.255.255 TCP/IP address. This broadcast is not forwarded by routers so will only appear on one network segment.
- Direct broadcast - Sent to all hosts on a network. Routers may be configured to forward directed broadcasts on large networks. For network 192.168.0.0, the broadcast is 192.168.255.255.

All other messages are filtered out by the NIC software unless the card is programmed to operate in promiscuous mode to perform network sniffing.

Broadcasting

The types of broadcasting uses on TCP/IP that I know about are:

ARP on IP
DHCP on IP
Routing table updates. Broadcasts sent by routers with routing table updates to other routers.

The ethernet broadcast address in hexadecimal is FF:FF:FF:FF:FF:FF. There are several types of IP broadcasting:

The IP limited broadcast address is 255.255.255.255. This broadcast is not forwarded by a router.
A broadcast directed to a network has a form of x.255.255.255 where x is the address of a Class A network. This broadcast may be forwarded depending on the router program.
A broadcast sent to all subnetworks. If the broadcast is 10.1.255.255 on network 10.1.0.0 and the network is subnetted with multiple networks 10.1.x.0, then the broadcast is a broadcast to all subnetworks.
A broadcast sent to a subnet in the form 10.1.1.255 is a subnet broadcast if the subnet mask is 255.255.255.0.

Multicasting

Multicasting may be used for streaming multimedia, video conferencing, shared white boards and more as the internet grows. Multicasting is still new to the internet and not widely supported by routers. New routing protocols are being developed to enable multicast traffic to be routed. Some of these routing protocols are:

Hierarchical Distance Vector Multicast Routing Protocol (HDVMRP)
Multicast Border Gateway
Protocol Independent Multicast

Since IP is not a reliable network protocol, a new reliable multicast protocol that works at the transport layer and uses IP at the network layer has been developed. It is called Multicast Transport Protocol (MTP)
Ethernet Addressing:

The internet assigned numbers authority (IANA) allocates ethernet addresses from 01:00:5E:00:00:00 through 01:00:5E:7F:FF:FF for multicasting. This means there are 23 bits available for the multicast group ID.

IP Addressing:

An IP multicast address is in the range 224.0.0.0 through 239.255.255.255. In hexadecimal that is E0.00.00.00 to EF.FF.FF.FF. To be a multicast address, the first three bits of the most significant byte must be set and the fourth bit must be clear. In the IP address, there are 28 bits for multicasting. Therefore there are 5 multicasting bits that cannot be mapped into an ethernet data packet. The 5 bits that are not mapped are the 5 most significant bits.

The 28 IP multicast bits are called the multicast group ID. A host group listening to a multicast can span multiple networks. There are some assigned hostgroup addresses by the internet assigned numbers authority (IANA). Some of the assignments are listed below:

224.0.0.1 = All systems on the subnet
224.0.0.2 = All routers on the subnet
224.0.1.1 = Network time protocol (NTP)
224.0.0.9 = For RIPv2
224.0.1.2 = Silicon graphic's dogfight application

Being on the MBONE means you are on a network that supports multicasting. Usually you must check with your internet service provider (ISP) to see if you have this capability. IGMP described in the next section is used to manage broadcast groups.

http://www.comptechdoc.org/independent/networking/guide/netbroadcasting.html

RPC and NFS

Network File System (NFS)

NFS, defined by RFC 1094, is a method for client systems to use a filesystem on a remote host computer. NFS uses the UDP protocol and is supported by RPC.

Remote Procedure Call (RPC)

RPC, defined by RFC 1057, is a set of function calls used by a client program to call functions in a remote server program. The port mapper program is the program used to keep track of which ports programs supporting RPC functions use. The port mappers port is 111. In Redhat Linux the portmapper daemon is started in the /etc/rc.d/init.d/portmap and the daemon program is called "portmap".

The rpcinfo command

The command "rpcinfo -p" will show the port numbers that are assigned to the RPC services.

program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100011    1   udp    747  rquotad
    100011    2   udp    747  rquotad
    100005    1   udp    757  mountd
    100005    1   tcp    759  mountd
    100005    2   udp    762  mountd
    100005    2   tcp    764  mountd
    100003    2   udp   2049  nfs

Services that may be listed include:

rquotad - Enforces the set quotas for remote mounted NFS systems.
mountd - Performs the requested mounts.
nfs - Handles the user interface to the kernel module that performs NFS.

NFS related services in Linux include:

amd - Runs the automount daemon for automatic remote filesystem mounting such as nfs. It is especially worthwhile for working with removeable media such as floppies or CD ROM disks.
autofs - This is the startup, stop, and status script for the automount program used to configure mount points for automatic mounting of file systems.
nfs - Provides Network File System server services.
netfs - Mounts and unmounts Network Fils System (NFS), Windows (SMB), and Netware (NCP) file systems. The mount command is used to perform this operation and no daemon is run in the background.

The /etc/exports file is used to configure exported filesystems.

http://www.comptechdoc.org/independent/networking/guide/netrpcnfs.html

BOOTP

BOOTP (Boot Protocol) may be used to boot remote computers over a network. BOOTP messages are encapsulated inside UDP messages and therefore its requests and replies are forwarded by routers. BOOTP is defined by RFCs 951 and 1542. The drawing below illustrates the data encapsulation:

BOOTP data encapsulation

The diskless system reads its unique hardware address from its network interface card then sends a BOOTP request. The table below shows the BOOTP package format from most significant bit to least significant bit.

Bit range	# of Bits	Name	Description
0-7	8	Op code	Tells if the message is a BOOTP request or reply. Request=1, reply=2
8-15	8	Hardware type	Indicates the type of hardware (link level). A value of 6 indicates ethernet
16-23	8	Hardware address length	Tells the length in bytes of the hardware address number. Ethernet addresses are 6 bytes long.
23-31	8	Hop count	Initially set to 0. Incremented each time it is forwarded.
32-63	32	Transaction ID	A random number set by the client and returned by the server. Used to match replies with requests
64-79	16	Number of seconds	The time since the client started trying to bootstrap. Used to tell if a backup BOOTP server should respond.
80-95	16	unused	not used
96-127	32	Clients IP address	The clients IP address. If a request, it is normally 0.0.0.0
128-159	32	IP address for client	The server sets this in the reply message.
160-191	32	Server IP address	Filled in by the server.
192-223	32	Gateway IP address	Returned by the server.
224-351	128	Clients hardware address	Provided by the client.
352-1375	1024	Server hostname	A null terminated string optionally filled in by the server.
1376-3423	2048	Boot filename	A fully qualified boot file name with path information, terminated with a null. Supplied by the server.
3424-4447	1024	Vendor information	Used for various options to BOOTP including the subnet mask to the client.

The BOOTP server uses port 67 and the BOOTP client uses port 68. The following is a brief explanation of what happens when a remote client boots:

BOOTP request. The client sends a BOOTP request from 0.0.0.0.68 to 255.255.255.255.67 with its ethernet address and number of second's fields filled in.
BOOTP reply. The server responds with the client's IP address, the server's IP address (it's own), and the IP address of a default gateway.
ARP request. The client issues an ARP to tell if the IP address it just received is being used. It uses 0.0.0.0 as it's own address
ARP request. The client waits 0.5 seconds and repeats the same ARP request.
ARP request. The client waits another 0.5 seconds and repeats the ARP request with it's own address as the senders address.
BOOTP request. The client waits 0.5 seconds and sends another BOOTP request with its own IP address in the IP header
BOOTP reply. The server sends the same BOOTP reply it sent the last time.
ARP request. The client outputs an ARP request for the server hardware address
ARP reply. The server replies with its own ethernet address.
TFTP read request. The client sends a TFTP read request asking for its specified boot file.

http://www.comptechdoc.org/independent/networking/guide/netbootpdhcp.html

DHCP

Dynamic Host Configuration Protocol (DHCP)

This protocol is used to assign IP addresses to hosts or workstations on the network. Usually a DHCP server on the network performs this function. Basically it "leases" out address for specific times to the various hosts. If a host does not use a given address for some period of time, that IP address can then be assigned to another machine by the DHCP server. When assignments are made or changed, the DHCP server must update the information in the DNS server.

As with BOOTP, DHCP uses the machine's or NIC ethernet (MAC) or hardware address to determine IP address assignments. The DHCP protocol is built on BOOTP and replaces BOOTP. DHCP extends the vendor specific area in BOOTP to 312 bytes from 64. RFC 1541 defines DHCP.

DHCP RFCs

DHCP RFCs are 1533, 1534, 1541, and 1542. Sent from DHCP server:

IP address
Netmask
Default Gateway address
DNS server addresse(s)
NetBIOS Name server (NBNS) address(es).
Lease period in hours
IP address of DHCP server.

DHCP Lease Stages

Lease Request - The client sends a broadcast requesting an IP address
Lease Offer - The server sends the above information and marks the offered address as unavailable. The message sent is a DHCPOFFER broadcast message.
Lease Acceptance - The first offer received by the client is accepted. The acceptance is sent from the client as a broadcast (DHCPREQUEST message) including the IP address of the DNS server that sent the accepted offer. Other DHCP servers retract their offers and mark the offered address as available and the accepted address as unavailable.
Server lease acknowledgement - The server sends a DHCPACK or a DHCPNACK if an unavailable address was requested.

DHCP discover message - The initial broadcast sent by the client to obtain a DHCP lease. It contains the client MAC address and computer name. This is a broadcast using 255.255.255.255 as the destination address and 0.0.0.0 as the source address. The request is sent, then the client waits one second for an offer. The request is repeated at 9, 13, and 16 second intervals with additional 0 to 1000 milliseconds of randomness. The attempt is repeated every 5 minutes thereafter.

The client uses its own port 68 as the source port with port 67 as the destination port on the server to send the request to the server. The server uses its own port 67 as the source port with port 68 as the destination port on the client to reply to the client. Therefore the server is listening and sending on its own port 67 and the client is listening and sending on its own port 68. This can be confusing when you consider which way the message is going. To be clear on this, I quote RFC 1531 which states "DHCP messages from a client to a server are sent to the 'DHCP server' port (67), and DHCP messages from a server to a client are sent to the 'DHCP client' port (68)"

DHCP Lease Renewal

After 50% of the lease time has passed, the client will attempt to renew the lease with the original DHCP server that it obtained the lease from using a DHCPREQUEST message. Any time the client boots and the lease is 50% or more passed, the client will attempt to renew the lease. At 87.5% of the lease completion, the client will attempt to contact any DHCP server for a new lease. If the lease expires, the client will send a request as in the initial boot when the client had no IP address. If this fails, the client TCP/IP stack will cease functioning.

DHCP Scope and Subnets

One DHCP scope is required for each subnet.

DHCP Relay Agents

May be placed in two places:

Routers
Subnets that don't have a DHCP server to forward DHCP requests.

Client Reservation

Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments, the following are required for client reservation:

MAC (hardware) address
IP address

Exclusion Range

Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.

Sample DCHP Configuration File

In Linux, a sample configuration file is:

subnet 192.168.199.0 netmask 255.255.255.0 {
# --- default gateway
 option routers   192.168.199.1;
 option subnet-mask  255.255.255.0;

 option nis-domain  "mynet.net";
 option domain-name  "mynet.net";
 option domain-name-servers 192.168.199.1;

 option time-offset  -5; # Eastern Standard Time
# option ntp-servers  192.168.199.1;
# option netbios-name-servers 192.168.199.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;

 default-lease-time 1209600;  # 2 weeks
 max-lease-time 1814400;  # 3 weeks

 range 192.168.199.10 192.168.199.250;

 # we want the nameserver to appear at a fixed address
 host nameserver {
  next-server nameserver.mynet.net;
  hardware ethernet 00:10:4b:ca:db:b5;
  fixed-address 192.168.199.1;
 }
}

This demonstrates that the IP addresses are based on lease times to the various clients. If they are not used within the period of their lease time by the client, those IP addresses are freed up for use by other clients.

http://www.comptechdoc.org/independent/networking/guide/netdhcp.html

Virtual Private Networking

If you've understood most of this document so far, the principles of Virtual private networking (VPN) will be easy to understand. The most confusing part of VPN is that many acronyms show up. This is partly because VPN requires data encryption to be "private" and there are many encryption techniques and terms. Also there are many complicated security issues relating to VPN concerning encryption and user authentication. This section will first explain the concept and methodology behind VPN, then explain some of the acronyms. I can't explain them all, there will be more tomorrow.

Purpose of VPN

The function of VPN is to allow two computers or networks to talk to each other over a transport media that is not secure. To do this VPN uses a computer at each of the two or more points on the various ends of the transport media such as the internet. Each point at the end of the transport media (internet) is called a point of presence (POP). In this example, the transport media is the internet. In the example below our company "Boats and More, Inc." has four offices. One in Boston, St Petersburg, Seattle, and San Diego. The owner wants a networking setup so he can access any of the 4 network locations at any time through the internet. He wants his data secure since some of it is confidential. His offices are set up on networks 10.1.x.x, 10.2.x.x, 10.3.x.x, and 10.4.x.x. Each of the four networks, when they need to send a data packet to one of the other networks, will route its data packet to its respective router, A, B, C, or D. For example if a computer on the 10.1.x.x network in Boston needs to send a packet to a computer with address 10.3.6.1 on the network in San Diego at 10.3.x.x, it will send its packet to its router, A. Since the network number, 10.x.x.x, is reserved for private use, the packet can't be sent going from computer A with 10.3.6.1 as its intended address. This is because the routers on the internet will not recognize this address as a valid destination. IP masquerading won't solve this problem since the computer on the other end would have no way of knowing that a packet that it didn't send was a masqueraded packet. Tunneling is the technique used to solve this problem.

Tunneling means that the complete IP packet to be sent from Boston to San Diego must be encapsulated into another IP packet. This new packet will have a legal internet IP address. Therefore, machine A will take the packet it needs to route (already has destination address 10.3.6.1) and roughly the following will happen:

Machine A will extract the IP packet.
Machine A will encrypt the packet.
Machine A will wrap the original IP packet in a new IP packet with destination address 201.47.98.101, which is machine C's true internet address.
Machine A will wrap the new IP packet in an ethernet packet and send it to the network.
The packet will be routed through the internet until it reaches machine C.
Machine C will extract the outer IP packet.
Machine C will determine that the IP packet contains another IP packet and extract it.
Machine C will decrypt the packet.
Machine C will examine the destination address of the inner IP packet, wrap it in an ethernet packet with the correct ethernet address, and send it to the internal network on its port 10.3.1.1.

This description is simplistic, but it is essentially what happens. This did not account for authentication and being sure machine C had the authority or ability to decrypt the packet. Therefore VPN can be examined in two main functional areas which are the tunneling mechanism and the security mechanisms.

VPN tunneling Protocols

The list below describes the tunneling protocols which may be used for VPN.

L2F - Layer2 Forwarding, works at the link layer of the OSI model. It has no encryption. Being replaced by L2TP.
PPTP - Point-to-Point Tunneling Protocol (RFC 2637) works at the link layer. No encryption or key management included in specifications.
L2TP - Layer2 Tunneling Protocol. (RFC 2661) Combines features of L2F and PPTP and works at the link layer. No encryption or key management included in specifications.
IPSec - Internet protocol security, developed by IETF, implemented at layer 3. it is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling. Does not cover key management.
Socks - handled at the application layer

VPN Security

In addition ot tunneling, VPN needs to provide for authentification, confidentiality, data integrity and key management. This is important if you need to keep your data going across the transmission media, secret. The capability of sending the data is easy, but the security measures necessary make VPN a much more complex subject. Security functions that must be covered are:

Authentification - Making sure the data is from where it is supposed to be from.
Confidentiality - Keeping any third parties from reading or understanding the data.
Data integrity - Being sure the data received was not changed by a third party and that it is correct.
Access control - Keeping third parties without authorization from getting access to your data or network.

Essentially the part of the system that must make the data secure, must encrypt the data and provide a method to decrypt the data. There are many different encryption formulas, but typically handling of decryption is usually done by providing a "key" to the party that must decrypt the data. Keys are secrets shared between two parties, that allow one party to pass encrypted information from one to the other without third parties being able to read it. It is similar to a house or car key that allows only members of your family to enter the house or use the car. Keys are a digital code that will allow the second party to decrypt the data. The digital code must be long enough to keep any third parties from being able to break the code by guessing. Key management can be a complex subject since there are many ways to implement it, but it needs to be secure so no third party gets, intercepts, or guesses the key.

There are many different protocols used to support each of the above functions. Each have various advantages and disadvantages including the fact that some are more secure than others. If you are going to use VPN as a data exchange method, and you want secure data, you or someone on your staff had better know what they're doing (Knowledge of the strengths and weaknesses of the protocols and how to implement them properly), or sooner or later, you may get burned.

Managing user access rights and Key Management or Authentification Systems

Two key management protocols are:

RADIUS - Remote Authentication Dial-In User Service is used for dial in clients to connect to other computers or a network. It provides authentication and accounting when using PPTP or L2TP tunneling.
ISAKMP/Oakley - Internet Security Association and Key Management Protocol Authentication uses one of the following three attributes to authenticate users.
1. Something you have such as a key.
2. Something you know such as a secret.
3. Something you are such as your fingerprint.
More than one means of authentification is recommended for stronger security.

VPN terms

VPN Protocols:

PPTP - Point to point tunneling protocol (RFC 2637)
L2TP - Layer 2 tunneling protocol (RFC 2661)
IPIP tunneling - Tunneling IP packets in IP packets.

Encryption protocols, methods and terms:

CIPE - Crypto IP Encapsulation
SSL - Secure sockets layer
IPSEC - Internet protocol security

Authentication Protocols:

PAP - Password Authentification Protocol is a two way handshake protocol designed for use with PPP.
CHAP - Challenge Handshake Authentication Protocol is a three way handshake protocol which is considered more secure than PAP.
TACACS - Offers authentication, accounting, and authorization.
S/Key - A one time password system, secure against replays. RFC 2289.

Projects and software:

SWAN - Secure wide area network
PoPToP Point to point tunneling protocol server.

http://www.comptechdoc.org/independent/networking/guide/netvpn.html

Domain Name Service

Host Names

Domain Name Service (DNS) is the service used to convert human readable names of hosts to IP addresses. Host names are not case sensitive and can contain alphabetic or numeric letters or the hyphen. Avoid the underscore. A fully qualified domain name (FQDN) consists of the host name plus domain name as in the following example:

computername.domain.com

The part of the system sending the queries is called the resolver and is the client side of the configuration. The nameserver answers the queries. Read RFCs 1034 and 1035. These contain the bulk of the DNS information and are superceded by RFCs 1535-1537. Naming is in RFC 1591. The main function of DNS is the mapping of IP addresses to human readable names

Three main components of DNS

resolver
name server
database of resource records(RRs)

Domain Name System

The Domain Name System (DNS) is basically a large database which resides on various computers and it contains the names and IP addresses of various hosts on the internet and various domains. The Domain Name System is used to provide information to the Domain Name Service to use when queries are made. The service is the act of querying the database, and the system is the data structure and data itself. The Domain Name System is similar to a file system in Unix or DOS starting with a root. Branches attach to the root to create a huge set of paths. Each branch in the DNS is called a label. Each label can be 63 characters long, but most are less. Each text word between the dots can be 63 characters in length, with the total domain name (all the labels) limited to 255 bytes in overall length. The domain name system database is divided into sections called zones. The name servers in their respective zones are responsible for answering queries for their zones. A zone is a subtree of DNS and is administered separately. There are multiple name servers for a zone. There is usually one primary nameserver and one or more secondary name servers. A name server may be authoritative for more than one zone.

DNS names are assigned through the Internet Registries by the Internet Assigned Number Authority (IANA). The domain name is a name assigned to an internet domain. For example, mycollege.edu represents the domain name of an educational institution. The names microsoft.com and 3Com.com represent the domain names at those commercial companies. Naming hosts within the domain is up to individuals administer their domain.

Access to the Domain name database is through a resolver which may be a program or part of an operating system that resides on users workstations. In Unix the resolver is accessed by using the library functions "gethostbyname" and "gethostbyaddr". The resolver will send requests to the name servers to return information requested by the user. The requesting computer tries to connect to the name server using its IP address rather than the name.

Structure and message format

The drawing below shows a partial DNS hierarchy. At the top is what is called the root and it is the start of all other branches in the DNS tree. It is designated with a period. Each branch moves down from level to level. When referring to DNS addresses, they are referred to from the bottom up with the root designator (period) at the far right. Example: "myhost.mycompany.com.".

DNS is hierarchical in structure. A domain is a subtree of the domain name space. From the root, the assigned top-level domains in the U.S. are:

GOV - Government body.
EDU - Educational body.
INT - International organization
NET - Networks
COM - Commercial entity.
MIL - U. S. Military.
ORG - Any other organization not previously listed.

Outside this list are top level domains for various countries.

Each node on the domain name system is separated by a ".". Example: "mymachine.mycompany.com.". Note that any name ending in a "." is an absolute domain name since it goes back to root.

DNS Message format:

Bits	Name	Description
0-15	Identification	Used to match responses to requests. Set by client and returned by server.
16-31	Flags	Tells if query or response, type of query, if authoritative answer, if truncated, if recursion desired, and if recursion is available.
32-47	Number of questions
48-63	Number of answer RRs
64-79	Number of authority RRs
80-95	Number of additional RRs
96-??	Questions - variable lengths	There can be variable numbers of questions sent.
??-??	Answers - variable lengths	Answers are variable numbers of resource records.
??-??	Authority - variable lengths
??-??	Additional Information - variable lengths

Question format includes query name, query type and query class. The query name is the name being looked up. The query class is normally 1 for internet address. The query types are listed in the table below. They include NS, CNAME, A, etc.

The answers, authority and additional information are in resource record (RR) format which contains the following.

Domain name
Type - One of the RR codes listed below.
Class - Normally indicates internet data which is a 1.
Time to live field - The number of seconds the RR is saved by the client.
Resource data length specifies the amount of data. The data is dependent on its type such as CNAME, A, NS or others as shown in the table below. If the type is "A" the data is a 4 byte IP address.

The table below shows resource record types:

Type	RR value	Description
A	1	Host's IP address
NS	2	Host's or domain's name server(s)
CNAME	5	Host's canonical name, host identified by an alias domain name
PTR	12	Host's domain name, host identified by its IP address
HINFO	13	Host information
MX	15	Host's or domain's mail exchanger
AXFR	252	Request for zone transfer
ANY	255	Request for all records

Usage and file formats

If a domain name is not found when a query is made, the server may search for the name elsewhere and return the information to the requesting workstation, or return the address of a name server that the workstation can query to get more information. There are special servers on the Internet that provide guidance to all name servers. These are known as root name servers. They do not contain all information about every host on the Internet, but they do provide direction as to where domains are located (the IP address of the name server for the uppermost domain a server is requesting). The root name server is the starting point to find any domain on the Internet.

Name Server Types

There are three types of name servers:

The primary master builds its database from files that were preconfigured on its hosts, called zone or database files. The name server reads these files and builds a database for the zone it is authoritative for.
Secondary masters can provide information to resolvers just like the primary masters, but they get their information from the primary. Any updates to the database are provided by the primary.
Caching name server - It gets all its answers to queries from other name servers and saves (caches) the answers. It is a non-authoritative server.

The caching only name server generates no zone transfer traffic. A DNS Server that can communicate outside of the private network to resolve a DNS name query is referred to as forwarder.

DNS Query Types

There are two types of queries issued:

Recursive queries received by a server forces that server to find the information requested or post a message back to the querier that the information cannot be found.
Iterative queries allow the server to search for the information and pass back the best information it knows about. This is the type that is used between servers. Clients used the recursive query.
Reverse - The client provides the IP address and asks for the name. In other queries the name is provided, and the IP address is returned to the client. Reverse lookup entries for a network 192.168.100.0 is "100.168.192.in-addr arpa".

Generally (but not always), a server-to-server query is iterative and a client-resolver-to-server query is recursive. You should also note that a server can be queried or it can be the person placing a query. Therefore, a server contains both the server and client functions. A server can transmit either type of query. If it is handed a recursive query from a remote source, it must transmit other queries to find the specified name, or send a message back to the originator of the query that the name could not be found.

DNS Transport protocol

DNS resolvers first attempt to use UDP for transport, then use TCP if UDP fails.

The DNS Database

A database is made up of records and the DNS is a database. Therefore, common resource record types in the DNS database are:

A - Host's IP address. Address record allowing a computer name to be translated into an IP address. Each computer must have this record for its IP address to be located. These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses.
PTR - Host’s domain name, host identified by its IP address
CNAME - Host’s canonical name allows additional names or aliases to be used to locate a computer.
MX - Host’s or domain’s mail exchanger.
NS - Host’s or domain’s name server(s).
SOA - Indicates authority for the domain
TXT - Generic text record
SRV - Service location record
RP - Responsible person
HINFO - Host information record with CPU type and operating system.

When a resolver requests information from the server, the DNS query message indicates one of the preceding types.

DNS Files

CACHE.DNS - The DNS Cache file. This file is used to resolve internet DNS queries. On Windows systems, it is located in the WINNTROOT\system32\DNS directory and is used to configure a DNS server to use a DNS server on the internet to resolve names not in the local domain.

Example Files

Below is a partial explanation of some records in the database on a Linux based system. The reader should view this information because it explains some important DNS settings that are common to all DNS servers. An example /var/named/db.mycompany.com.hosts file is listed below.

mycompany.com.  IN SOA mymachine.mycompany.com. root.mymachine.mycompany.com. (
  1999112701           ; Serial number as date and two digit number YYMMDDXX
  10800                ; Refresh in seconds 28800=8H
  3600                 ; Retry in seconds 7200=2H
  604800               ; Expire 3600000=1 week
  86400 )              ; Minimum TTL 86400=24Hours
mycompany.com.                IN NS mymachine.mycompany.com.
mycompany.com.                IN MX  10  mailmachine.mycompany.com.
mymachine.mycompany.com.      IN A 10.1.0.100
mailmachine.mycompany.com.    IN A 10.1.0.4
george.mycompany.com.         IN A 10.1.3.16

A Line by line description is as follows:

The entries on this line are:
1. mycompany.com. - Indicates this server is for the domain mycompany.com.
2. IN - Indicates Internet Name.
3. SOA - Indicates this server is the authority for its domain, mycompany.com.
4. mymachine.mycompany.com. - The primary nameserver for this domain.
5. root.mymachine.mycompany.com. - The person to contact for more information.
The lines in the parenthesis, listed below, are for the secondary nameserver(s) which run as slave(s) to this one (since it is the master).
1999112701 - Serial number - If less than master's SN, the slave will get a new copy of this file from the master.
10800 - Refresh - The time in seconds between when the slave compares this file's SN with the master.
3600 - Retry - The time the server should wait before asking again if the master fails to respond to a file update (SOA request).
604800 - Expire - Time in seconds the slave server can respond even though it cannot get an updated zone file.
86400 - TTL - The time to live (TTL) in seconds that a resolver will use data received from a nameserver before it will ask for the same data again.

This line is the nameserver resource record. There may be several of these if there are slave name servers.

mycompany.com.                IN NS mymachine.mycompany.com.

Add any slave server entries below this like:

mycompany.com.                IN NS ournamesv1.mycompany.com.
mycompany.com.                IN NS ournamesv2.mycompany.com.
mycompany.com.                IN NS ournamesv3.mycompany.com.

This line indicates the mailserver record.
```
mycompany.com.                IN MX  10  mailmachine.mycompany.com.
```
There can be several mailservers. The numeric value on the line indicates the preference or precedence for the use of that mail server. A lower number indicates a higher preference. The range of values is from 0 to 65535. To enter more mailservers, enter a new line for each one similar to the nameserver entries above, but be sure to set the preferences value correctly, at different values for each mailserver.
The rest of the lines are the name to IP mappings for the machines in the organization. Note that the nameserver and mailserver are listed here with IP addresses along with any other server machines required for your network.
```
mymachine.mycompany.com.      IN A 10.1.0.100
mailmachine.mycompany.com.    IN A 10.1.0.4
george.mycompany.com.         IN A 10.1.3.16
```

Domain names written with a dot on the end are absolute names which specify a domain name exactly as it exists in the DNS hierarchy from the root. Names not ending with a dot may be a subdomain to some other domain.
Aliases are specified in lines like the following:

mymachine.mycompany.com  IN  CNAME  nameserver.mycompany.com.
george.mycompany.com  IN  CNAME  dataserver.mycompany.com.  
Linux1.mycompany.com  IN  CNAME  engserver.mycompany.com.  
Linux2.mycompany.com  IN  CNAME  mailserver.mycompany.com.

When a client (resolver) sends a request, if the nameserver finds a CNAME record, it replaces the requested name with the CNAME, then finds the address of the CNAME value, and return this value to the client.
A host that has more than one network card which is set to address two different subnets can have more than one address for a name.

mymachine.mycompany.com  IN  A  10.1.0.100  
    IN  A  10.1.1.100

When a client queries the nameserver for the address of a multi homed host, the nameserver will return the address that is closest to the client address. If the client is on a different network than both the subnet addresses of the multi homed host, the server will return both addresses.

For more information on practical application of DNS, read the DNS section of the Linux User's Guide.

http://www.comptechdoc.org/independent/networking/guide/netdns.html

Firewalls

Firewalls are mainly used as a means to protect an organization's internal network from those on the outside (internet). It is used to keep outsiders from gaining information to secrets or from doing damage to internal computer systems. Firewalls are also used to limit the access of individuals on the internal network to services on the internet along with keeping track of what is done through the firewall. Please note the difference between firewalls and routers as described in the second paragraph in the IP Masquerading section.

Types of Firewalls

Packet Filtering - Blocks selected network packets.
Circuit Level Relay - SOCKS is an example of this type of firewall. This type of proxy is not aware of applications but just cross links your connects to another outside connection. It can log activity, but not as detailed as an application proxy. It only works with TCP connections, and doesn't provide for user authentication.
Application Proxy Gateway - The users connect to the outside using the proxy. The proxy gets the information and returns it to the user. The proxy can record everything that is done. This type of proxy may require a user login to use it. Rules may be set to allow some functions of an application to be done and other functions denied. The "get" function may be allowed in the FTP application, but the "put" function may not.

Proxy Servers can be used to perform the following functions.

Control outbound connections and data.
Monitor outbound connections and data.
Cache requested data which can increase system bandwidth performance and decrease the time it takes for other users to read the same data.

Application proxy servers can perform the following additional functions:

Provide for user authentication.
Allow and deny application specific functions.
Apply stronger authentication mechanisms to some applications.

Packet Filtering Firewalls

In a packet filtering firewall, data is forwarded based on a set of firewall rules. This firewall works at the network level. Packets are filtered by type, source address, destination address, and port information. These rules are similar to the routing rules explained in an earlier section and may be thought of as a set of instructions similar to a case statement or if statement. This type of firewall is fast, but cannot allow access to a particular user since there is no way to identify the user except by using the IP address of the user's computer, which may be an unreliable method. Also the user does not need to configure any software to use a packet filtering firewall such as setting a web browser to use a proxy for access to the web. The user may be unaware of the firewall. This means the firewall is transparent to the client.

Circuit Level Relay Firewall

A circuit level relay firewall is also transparent to the client. It listens on a port such as port 80 for http requests and redirect the request to a proxy server running on the machine. Basically, the redirect function is set up using ipchains then the proxy will filter the package at the port that received the redirect.

Configuring a Proxy Server

The following packages are available in Linux:

Ipchains soon to be replaced by netfilter (Packet filtering supported by the Linux kernel). It comes with Linux and is used to modify the kernel packet routing tables.
SOCKS - Circuit Switching firewall. Normally doesn't come with Linux, but is free.
Squid - A circuit switching proxy. Normally comes with Linux.
Juniper Firewall Toolkit - A firewall toolkit product used to build a firewall. It uses transparent filtering, and is circuit switching. It is available as open source.
The TIS Firewall Toolkit (FWTK). A toolkit that comes with application level proxies. The applications include Telnet, Rlogin, SMTP mail, FTP, http, and X windows. it can also perform as a transparent proxy for other services

Ipchains and Linux Packet filtering

For complete information on the use of IP chains and setting up a firewall, see the following Linux how-tos:

IPCHAINS-HOWTO
Firewall-HOWTO
IP-Masquerade-HOWTO

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up a firewall. It is not meant as a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.

The administration of data packet management is controlled by the kernel. Therefore to provide support for things like IP masquerading, packet forwarding, and port redirects, the support must be compiled into the kernel. The kernel contains a series of tables that each contain 0 or more rules. Each table is called a chain. A chain is a sequence of rules. Each rule contains two items.

Characteristics - Characteristics such as source address, destination address, protocol type (UDP, TCP, ICMP), and port numbers.
Instructions - Instructions are carried out if the rule characteristics match the data packet.

The kernel filters each data packet for a specific chain. For instance when a data packet is received, the "input" chain rules are checked to determine the acceptance policy for the data packet. The rules are checked starting with the first rule (rule 1). If the rule characteristics match the data packet, the associated rule instruction is carried out. If they don't match, the next rule is checked. The rules are sequentially checked, and if the end of the chain is reached, the default policy for the chain is returned.

Chains are specified by name. There are three chains that are available and can't be deleted. They are:

Input - Regulates acceptance of incoming data packets.
Forward - Defines permissions to forward packets that have another host as a destination.
Output - Permissions for sending packets.

Each rule has a branch name or policy. Policies are listed below:

ACCEPT - Accept the data packet.
REJECT - Drop and the packet but send a ICMP message indicating the packet was refused.
DENY - Drop and ignore the packet.
REDIRECT - Redirect to a local socket with input rules only even if the packet is for a remote host. This applies to TCP or UDP packets.
MASQ - Sets up IP masquerading. Works on TCP or UDP packets.
RETURN - The next rule in the previous calling chain is examined.

You can create more chains then add rules to them. The commands used to modify chains are as follows:

-N Create a new chain
-X Delete an empty chain
-L List the rules in the chain
-P Change the policy for a chain
-F Flush=Delete all the rules in a chain
-Z Zero the packet and byte counters in all chains

Commands to manipulate rules inside the chain are:

-A Append a new rule to a chain.
-I Insert a new rule at some position in a chain.
-R Replace a rule at some position in a chain.
-D Delete a rule at some position in a chain.
Options for masquerading:
- -M with -L to list the currently masqueraded connection.
- -M with -S to set the masquerading timeout values.

IPchains Options for setting rule specifications:

-s Source
-d Destination
-p Protocol=tcp, upd, icmp, all or a name from /etc/protocols
-j Jump target, Specifies the target of the rule. The target can be a user defined chain, but not the one this rule is in.
-i Interface=Name of the interface the packet is received on or the interface where the packet will be sent
-t Mask used to modify the type of service (TOS) field in the IP header. This option is followed by two values, the first one is and'ed with the TOS field, and the second is exclusive or'ed. The masks are eight bit hexadecimal values. An example of use is "ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10" These bits are used to set priority. See the section on IP message formats.
-f Fragment

When making changes to firewall rules, it is a good idea to deny all packages prior to making changes with the following three commands:

ipchains -I input 1 -j DENY
ipchains -I output 1 -j DENY
ipchains -I forward 1 -j DENY

These commands inserts a rule at location 1 that denies all packages for input, output, or forwarding. This is done so no unauthorized packets are not let through while doing the changes. When your changes have been completed, you need to remove the rules at position 1 with the following commands:

ipchains -D input 1
ipchains -D output 1
ipchains -D forward 1

Examples of the use of ipchains to allow various services

Create a new chain:

ipchains -N chainame

The option "-N" creates the chain.

Add the chain to the input chain:

ipchains -A input -j chainame

Allow connections to outside http servers from inside our network:

ipchains -A chainame -s 10.1.0.0/16 1024: -d 0.0.0.0/0 www -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.0.0/16 1024:" specifies any traffic on network 10.1.0.0 at port 1024 or above. The "-d 0.0.0.0/0 www" specifies any destination for www service (in the /etc/services file) and the "-j ACCEPT" sets the rule to accept the traffic.

Allow connections from the internet to connect with your http server:

ipchains -A chainame -s 0.0.0.0/0 www -d 10.1.1.36 1024: -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0.0.0.0/0 www" specifies traffic from any source for www service. The "-d 10.1.1.36 1024:" specifies the http server at IP address 10.1.1.36 at ports above 1024 and the "-j ACCEPT" sets the rule to accept the traffic.

Allow DNS to go through the firewall:

ipchains -A chainame -p UDP -s 0/0 dns -d 10.1.0.0/16 -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-p UDP" specifies UDP protocol. The "-s 0/0 dns" specifies any dns traffic from any location. The "-d 10.1.0.0/16" specifies our network and the "-j ACCEPT" sets the rule to accept the traffic. This allows DNS queries from computers inside our network to be received.

Allow e-mail to go from our internal mail server to mailservers outside the network.

ipchains -A chainame -s 10.1.1.24 -d 0/0 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 10.1.1.24" specifies any traffic from 10.1.1.24 IP address. The "-d 0/0 smtp" specifies any smtp type of service going anywhere and the "-j ACCEPT" sets the rule to accept the traffic.

Allow e-mail to come from any location to our mail server:

ipchains -A chainame -s 0/0 smtp -d 10.1.1.24 smtp -j ACCEPT

The "-A chainame" adds a rule to the chain called "chainame". The "-s 0/0 smtp" specifies mail traffic from anywhere. The "-d 10.1.1.24 smtp" specifies mail traffic going to our mail server and the "-j ACCEPT" sets the rule to accept the traffic.

Perform a HTTP port redirect for a transparent proxy server:

ipchains -A input -p tcp -s 10.1.0.0/16 -d 0/0 80 -j REDIRECT 8080

The "-A input" adds a rule to the input chain. The "-p tcp" specifies the protocol TCP. The "-s 10.1.0.0/16" specifies the source as a network with netmask 255.255.0.0. The "-d 0/0" specifies a destination of anywhere. The number 80 is the HTTP port number, and the command "-j REDIRECT 8080" redirects the traffic to port 8080.

Give telnet transmissions a higher priority

ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10"

The bits at the end of the line specified in hexadecimal format are used to set the priority of the IP message on the network. The first value is and'ed with the TOS field in the IP message header, and the second value is exclusive or'ed. See the section on IP message formats for more information.

Using ipchains-save and ipchains-restore to make rules permanent

When you are done setting your ipchains rules, use the following procedure while logged on as root to make them permanent:

Type the command "ipchains-save > /etc/iprules.save".

Create the following script named "packetfw":

#! /bin/sh
# Packet filtering firewall script to be used turn the firewall on or off
 
if [ -f /etc/iprules.save ]
then
   case "$1" in
      start)
          echo -n "Turning on packet filtering firewall:"
          /sbin/ipchains-restore < /etc/iprules.save
          echo 1 > /proc/sys/net/ipv4/ip_forward
          echo "."
          ;;
       stop)
          echo -n "Turning off packet filtering:"
          echo 0 > /proc/sys/net/ipv4/ip_forward
          /sbin/ipchains -X
          /sbin/ipchains -F
          /sbin/ipchains -P input ACCEPT
          /sbin/ipchains -P output ACCEPT
          /sbin/ipchains -P forward ACCEPT
          echo "."
          ;;
       *)
          echo "Usage: /etc/init.d/packetfw {start|stop}"
          exit 1
          ;;
   esac
   exit 0
else
   echo the /etc/iprules.save file does not exist.
   exit 1
fi

Save the file in the /etc/rc.d/init.d directory.
In the /etc/rc.d/rc3.d and the /etc/rc.d/rc5.d directories make a symbolic link called S07packetfw to the /etc/rc.d/init.d/packetfw file with the command "ln -s /etc/rc.d/rc3/S07packetfw /etc/rc.d/init.d/packetfw". This applies to runlevel 3. Do the same for the runlevel 5 initialization directory. Note: You may need to use a different number than the "S07" string to number your link file. Look in your /etc/rc.d/rc3.d and /etc/rc.d/rc5.d directories to determine what number is available to give this file. Try to give it a number just below your network number file. On my system the S10network file is used to start my network.

http://www.comptechdoc.org/independent/networking/guide/netfirewall.html

IP Masquerading

IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines. It's similar to someone buying stocks through a broker (without considering the monetary transaction). The person buying stocks, tells the broker to buy the stocks, the broker gets the stocks and passes them to the person who made the purchase. The broker acts on behalf of the stock purchaser as though he was the one buying the stock. No one who sold the stock knew or cared about whether the broker was buying for himself or someone else.

Please DO NOT confuse routers with firewalls and the performance of IP masquerading. The commands that allow IP masquerading are a simple form of a firewall, however routing is a completely different function, as described previously. Setting a computer up to act as a router is completely different than setting up a computer to act as a firewall. Although the two functions are similar in that the router or firewall will act as a communication mechanism between two networks or subnets, the similarity ends there. A computer can be either a router or a firewall, but not both. If you set up a computer to act as both a router and a firewall, you have defeated the purpose of your firewall!

If you refer to the diagram below, the machines on network 192.168.2.x will obtain services through gateway B using IP masquerading, when gateway B is setup properly. What basically happens when IP masquerading is set up on gateway B is described in the following example. If machine S6 tries to ping S2, its ping packages will be wrapped in a package for its default gateway, gateway B, because S6 knows by its netmask that S2 in on another network. When gateway B receives the packages from S6, it converts them to ping packages as though they were sent from itself and sends them to S2. As far as S2 can tell, gateway B has pinged it. S2 receives the packages and responds to gateway B. Gateway B then converts the packages to be addressed to S6 and sends them. This is why it is called IP masquerading, since gateway B masquerades for machines S4, S5, and S6. Machines S1 through S3 and gateway A cannot initiate any communication with S4 through S6. In fact they have no way to know that those machines even exist!

IP masquerading allows internal machines that don't have an officially assigned IP addresses to communicate to other networks and especially the internet. In Linux, IP masquerading support is provided by the kernel. To get it to work you must do essentially three things:

Be sure the kernel has support for IP masquerading.
Be sure modules needed for support are loaded into the kernel.
Set up the firewall rules.

For complete information on the setup of IP masquerading, see the following Linux how-tos:

IPCHAINS-HOWTO
Firewall-HOWTO
IP-Masquerade-HOWTO

Some of the information in this section is based on these how-tos. This section summarizes and puts in simple steps some of the items you will be required to perform to set up IP masquerading. It is not a replacement for the Linux how to documents, but a complement to them by giving an overview of what must be done. You may access the howtos from one of the websites listed in the Linux websites section. The Linux Documentation Project or Metalab's Index of Linux publications will have copies if these howtos.
To set up IP masquerading in Linux you must first be sure your kernel supports IP masquerading with the following options set (This is for a 2.2.x kernel or higher):
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [Y/n/?]- YES
Enable loadable module support (CONFIG_MODULES) [Y/n/?] - YES
Networking support (CONFIG_NET) [Y/n/?] - YES
Packet socket (CONFIG_PACKET) [Y/m/n/?] - YES
Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] - YES
Routing messages (CONFIG_RTNETLINK) [Y/n/?] - NO
Network firewalls (CONFIG_FIREWALL) [Y/n/?] - YES
TCP/IP networking (CONFIG_INET) - YES
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [Y/n/?] - NO
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [Y/n/?] - YES
IP: firewalling (CONFIG_IP_FIREWALL) [Y/n/?] - YES
IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK) [Y/n/?] - YES
IP: always defragment (required for masquerading) (CONFIG_IP_ALWAYS_DEFRAG) [Y/n/?] - YES
IP: masquerading (CONFIG_IP_MASQUERADE [Y/n/?] - YES
IP: ICMP masquerading (CONFIG_IP_MASQUERADE_ICMP) [Y/n/?] - YES
IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD) [Y/n/?] - YES
IP: ipautofw masquerade support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPAUTOFW) [Y/n/?] - NO
IP: ipportfw masq support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_IPPORTFW) [Y/n/?] - YES
IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW) [Y/m/n/?] - NO
IP: optimize as router not host (CONFIG_IP_ROUTER) [Y/n/?] - YES
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] - NO
IP: TCP syncookie support (not enabled per default) (CONFIG_SYN_COOKIES) [Y/n/?] - YES
Network device support (CONFIG_NETDEVICES) [Y/n/?] - YES
Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] - YES
/proc filesystem support (CONFIG_PROC_FS) [Y/n/?] - YES

These are the kernel options you need for IP Masquerade. You will need to select other options for your specific hardware and network setup. Read the IP masquerade and kernel howtos for more information. You may also want the section about how to compile the Linux kernel on the Linux User's Guide in the Linux section of this documentation.
Create the following text and place it in a file "/etc/rc.d/rc.firewall". This will load your needed modules into your kernel and set up your basic firewall rules. If you copy the file from this page, be sure to remove carriage returns when you get it into Linux or it may not work properly.

# rc.firewall - Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM
#
# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current available IP MASQ modules
#          are shown below but are commented out from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this module,
#  RealAudio WILL function but in TCP mode.  This can cause a reduction
#  in sound quality
#
#/sbin/modprobe ip_masq_raudio

# Supports the masquerading of IRC DCC file transfers
#
/sbin/modprobe ip_masq_irc

# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
#   for for multiple users behind the Linux MASQ server.  If you are going to play
#   Quake I, II, and III, use the second example.
#
#Quake I / QuakeWorld (ports 26000 and 27000)
#/sbin/modprobe ip_masq_quake
#
#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
# /sbin/modprobe ip_masq_quake ports=26000,27000,27910,27960

# Supports the masquerading of the CuSeeme video conferencing software
#
#/sbin/modprobe ip_masq_cuseeme

#Supports the masquerading of the VDO-live video conferencing software
#
#/sbin/modprobe ip_masq_vdolive

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# Dynamic IP users:
#
#   If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, enable this following
#       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
#       with DialD, PPPd, and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160

# DHCP:  For people who receive their external IP address from either DHCP or BOOTP
#        such as ADSL or Cablemodem users, it is necessary to use the following
#        before the deny command.  The "bootp_client_net_if_name" should be replaced
#        the name of the link that the DHCP/BOOTP server will put an address on to?
#        This will be something like "eth0", "eth1", etc.
#
#        This example is currently commented out.
#
#
/sbin/ipchains -A input -j ACCEPT -i eth1 -s 0/0 67 -d 0/0 68 -p udp

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
#         network with a 255.255.255.0 or a "24" bit subnet mask.
#
#         Please change this network number and subnet mask to match your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.199.0/24 -j MASQ

Add the following line to the "/etc/rc.d/rc.local" file:
/etc/rc.d/rc.firewall
Of course the machines that you are configuring to be behind the machine providing the masquerading service should be configured to use that as their gateway. In this case S4 through S6 should use gateway B as their default gateway.

http://www.comptechdoc.org/independent/networking/guide/netipmasq.html

Total Pageviews

Result blog

SNMP Communities

SNMP Communities

SNMP Security

SNMP Message Types

The MIB data structure RFC 1213

Mail Protocols

Directory Services

Mail API

Routing cost

Route Discovery Methods

Routing Information Protocol (RIP)

RIP Version 2

Open Shortest Path First (OSPF)

Border Gateway Protocol (BGP)

Broadcasting

Multicasting

Network File System (NFS)

Remote Procedure Call (RPC)

The rpcinfo command

Dynamic Host Configuration Protocol (DHCP)

DHCP RFCs

DHCP Lease Stages

DHCP Lease Renewal

DHCP Scope and Subnets

DHCP Relay Agents

Client Reservation

Exclusion Range

Sample DCHP Configuration File

Purpose of VPN

VPN tunneling Protocols

VPN Security

Managing user access rights and Key Management or Authentification Systems

VPN terms

Host Names

Domain Name System

Structure and message format

DNS Message format:

Usage and file formats

Name Server Types

DNS Query Types

DNS Transport protocol

The DNS Database

DNS Files

Example Files

Types of Firewalls

Packet Filtering Firewalls

Circuit Level Relay Firewall

Configuring a Proxy Server

Ipchains and Linux Packet filtering

Examples of the use of ipchains to allow various services

Using ipchains-save and ipchains-restore to make rules permanent

Entri Populer

Main Menu

Arsip Blog

Cari Blog Ini