Networking

IPv6 launch banner

Unix systems use the TCP/IP network protocol by default, it is in fact completely integrated into the system. TCP/IP roughly covers layer 3 and 4 of the OSI network model. TCP controls the traffic (Transport Control Protocol) and IP handles the routing of data trough the network (Internet Protocol).

IP is available in 2 flavors. IPv4 is the original implementation using 32 bits in groups of 8 bits for the address. IPv6 is the next generation of addresses using 128 bits. The basic technology is not really different for ordinary users.
IPv6 just can hold enough addresses to point to everything you can think of and much, much more.

IPv4 addresses look like 148.230.157.25, IPv6 addresses like  2001::216:3eff:fe31:c4a0. We have a post on IPv6 and a post on IPv4 addressing.

The IPv4 information here is quite accurate as the IPv4 protocol is well known. About the IPv6 information discussion is possible, my first information on IPv6 was from the very informative book by Christian Huitema, as the book was written in 1997 the current implementation seems to differ on some points.

Socket
IP-address and port e.g. 162.35.68.95:23. A socket defines the actual connection to a system. A netwerk application like telnetd listens on a specific port. A client connection to the port will be served by this application. If the protocol negotiation is finneshed a socket will be established.
*.23
This socket listens to all IP-addresses accessing port 23 (telnet)
The * is called INADDRANY
RPC
Remote Procedure Call, pre-IP network protocol. On unix systems inetd listens to port 111 on behalf of rpcbind/portmapper. RPC request contain a servicenumber(which is defined in /etc/rpc) for the needed RPC-service.
rpcbind must be running before inetd is started. rpcbind provides the socket inetd should connect to.
Stream
Connection between 2 sockets
/etc/defaultrouters
Defines default router (SUN)
rdist
Tool for file distribution over serveral servers
BOOTP
Protocol to request and send configuration data over teh network.
Bootp request can not pass routers. Put a forwarding bootp-server in each subnet, this server known the address of the bootp-server and forwards the request to it.
FTP
File Transfer Protocol. By default uses port 20 (Data) and port 21 (Control). The data connection is initiated from the server, at the client side you need therefore to open your firewall for connections from port 20. Clients may be able to limit the ports used for data transfer. In that case you can use something like: “iptables -A INPUT -p TCP -s 0/0 -d $INTERNET_ADDRESS –sport 20 -m multiport –dports 43000:43100 -j ACCEPT”
Anonymous FTP
Uses a chroot environment, in such a setup the user sees his home-directory as /. He can never reach any other directory on the server. All commands and library’s the user needs must be under his root.
tcpdump
Trace network traffic, all packets send are reported to standard output (terminal).

-w <filename> -C 10
Dump raw data to <filename>, create new file after 10 million (not 10MB) bytes are written
-r  <filename> -tttt -X
Read packets from <filename>, give absolute time and all data
-n port 53 and ip6 and host <address>
Do not lookup host or port-names, select only packets from port 53, IPv6 protocol and specified host(address)
netstat -rvn
Show the routing table with subnet masks and do not lookup hostnames
route add -net 10.0.2.0 netmask 255.255.255.0 gw 10.0.2.1
Add route to network 10.0.2.0/24, the gateway for this network is 10.0.2.1
traceroute <IP>
Report all routers a package passes on its way to <IP>. This uses the TTL field in the IP package.Each router lowers TTL with 1, the router setting TTL to 0 reports this to the source IP. Traceroute sends packages with increasing TTL’s starting with 1 thus forcing each router to report itself.
tftp <host>
Trivial FTP, ftp whitout users. Use put or get for transfer

  1. Activate tftpd in /etc/initd.conf
  2. Make sure the home directory for tftp exists path is in inetd.conf
  3. kill -1 <inetd-process>.
  4. Touch the file you want to put
  5. Put the file
ifconfig <interface>
Show the interface configuration -a shows all interfaces
ifconfig <interface> <IPv4-address>
Put <IPv4-address> on the  interface with default netmask (see above) and broadcast address. Other netmasks and more options can be configured too.
ifconfig <interface> inet6 add <IPv6-address>
Add <IPv6-address> to the interface, a IPv6 capable interface has already a link-local  address.
lsof -i TCP:<port>
list all processes that have <port> in use>/dd>

SUN Specific

snoop -ta -x0 <expr>
Trace network traffic to <ip-address> with timestamp an all data in the packets. Snoop has lots of options for selecting and displaying just what you need. <expr> can be almost anything like IP-addresses more values can be specified by ‘and’ or ‘or’ . ‘!’ is a ‘not’
snoop -o <file> <expr>
Put all traffic matching <expr> in file, the file can be read back with all display options like x0 and ta later using snoop -i <file>

To change the hostname of a Solaris system check following files

  • /etc/hosts
  • /etc/nodename
  • /etc/hostname
  • /etc/net/ticlts/hosts
  • /etc/net/ticots/hosts
  • /etc/net/ticotsord/hosts
  • /etc/inet/ipnodes (if this file exists and if a hostname entry exists)
/etc/nodename
Define default hostname for the system
/etc/hostname.hme0
Hostname for a specific interface (hme0) the IP-address to put on this interface is found in /etc/hosts

/etc/hostname/hme0.1
Define virtual interface to make one fysical interface cary more IP-addresses

IPMP

IPMP, IP Multi Padding, can be used to make network interfaces redundant.

You need 2 fysical connections and 3 IP-addresses (2 for testing, 1 for work). In the examples below we have a ce0 and ce1 interface.
Each interface receives a test-addres, from these addresses the router is pinged. The node-IP addres is givven to the interface that can reach the router.

  1. Make sure the interfaces use there own MAC addres
    # ksh
    # eeprom local-mac-address?=true
    If the eeprom needs to be changed you have to reboot the system to activate the new setting
    # init 6
  2. Check the mpathd file
    # cd /etc/default
    # cat mpathd
    Following lines must be in the file:
    FAILURE_DETECTION_TIME=10000
    FAILBACK=yes
    TRACK_INTERFACE_ONLY_WITH_GROUPS=yes
  3. Modify /etc/hostsMake sure test and node address are in correctly
    # vi /etc/hosts10.12.13.3 somenode
    10.12.13.1 somenode.ce0
    10.12.13.2 somenode.ce1
  4. configure the interfaces# ifconfig ce0 plumb
    # ifconfig ce1 plumb
    Modify hostname files:
    # vi /etc/hostname.ce0  (This will be the primary interface. Deprecated means the test-address is not send to the network)
    somenode netmask + broadcast + group namelan up
    addif somenode.ce0 deprecated -failover netmask + broadcast + up
    # vi /etc/hostname.ce1  (This will be the secondary (stand-by) interface. It takes over if the primary link fails and stops if the primary link is back on-line)
    somenode.ce1 netmask + broadcast + deprecated group namelan -failover standby up

Now reboot the server, test by pulling the cable from the primary interface, the secondary should take over after 10 sec (1000 msec from the mpathd config).

Nico’s tips:

Add IPMP, to make sure Server1 is available on one of the two IP cards:

Alternatief 1:

In Internet Explorer, go to:

https://<Server1 IP address>.3000

IPMP Group: < ipmpgroupname>

Adapter: hme0

Testadress:  <IP-address>

Alternatief 2:

# ifconfig hme0 plumb <High Availability server IPaddress> netmask + broadcast + group <IPMP-groupname> up

# ifconfig hme0 addif <IPtestaddress hme0> -failover deprecated netmask + broadcast  + up

# ifconfig hme1 plumb

# ifconfig hme1 <IPtestaddress hme1> group <IPMP-groupname> -failover deprecated netmask + broadcast  + up

# if_mpadm -r hme0

X-25

Stopping PAD may reduce error messages from X25.

In /etc/init.d/x25.control comment out the lines

if
[“$SX25″]

then

START=”$START

padd

….

STOP=”STOP padxd
padprntd”

fi

Tunneling

Encrypted tunnels can be build on IP connections. All data is encrypted at the sending and of the tunnel and decrypted at the receiving end.

ssh -l -L <lport>:<hostname>:<rport> <rhost>
Port forwarding. Forward port <lport> to port <rport> on <rhost>. <hostname> is the name used on this connection. A chain of forwards can be created over several hosts. Connecting to <lport> on localhost will connect you to the destination port immediately.
VPN
Vitrual Private network. A network of tunnels over a another network. For the user it works like one private network, separated from the network it is build on.

Example of VPN defining commands

set vpn “<VPN-NAME>” gateway “<gateway-name” no-replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”

set vpn “<VPN-NAME>” id 686 bind interface tunnel.161

set vpn “<VPN-NAME>” proxy-id local-ip <public network this side> remote-ip <public network other side> “ANY”

ipsec
Encrypted communication using X.509 certificates or preshared keys.There are two modes of operation,1. transport mode, only the payload is encrypted, the routing header remains intact. This can be used for host-to-host communication.2. Tunnel mode, the entire IP=packet is encrypted and a new IP header is added. This is used for site-to-site communication.

IPSEC implementation

Install strongswan without Opportunistic Encryption. X.509 certificates can be installed with the debian package or you can create them yourself.

X.509 certificates

X.509 Certificates deliver a public key infrastructure (PKI) that  can be used to identify a server and for encrypted communication. Certificates are provided by Certificate Authorities who verify the identity of the certificate requester. Certificates from larger CA’s are trusted by default in most web-browsers.

To set up encrypted communication between two side you have to agree which CA to use.

Make yourself a CA (no-one will recognise as such)

# cd /etc/ssl

You can put default values for your certificates in openssl.cnf

# /usr/lib/ssl/misc/CA.sh -newca

Create crl file to store revoked certificates


# echo 01 > demoCA/crlnumber

# openssl ca -gencrl -out crl.pem

On the server you need a certificate for:

# /usr/lib/ssl/misc/CA.sh -newreq

The script generates a newreq.pem and newkey.pem

The newreq.pem must be transferred to the CA-server /etc/ssl. Then execute

# /usr/lib/ssl/misc/CA.sh -si

This generates newcert.pem. This file has to be returned to the requesting host, renaming it to a more meaningful name is advised.


# mv newkey.pem <hostname>.key

# mv newcert.pem <hostname>.pem

For windows servers things need to be converted to a P12 file.

# openssl pkcs12 -export -in
<hostname>.pem -inkey <hostname>.key -certfile
demoCA/cacert.pem -out <hostname>.p12

To remove a passphrase from a key;

# openssl rsa -in server.key.org -out server.key

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.