3 Network down, IP packets delivered via UPS. -- BOFH excuse #427
9 Networking is a complex and diverse area of computer science. This page
10 can only scratch the surface of some essential networking concepts,
11 aiming to convey enough background knowledge to understand more
12 specific and thorough articles on the subject matter and to encourage
13 the reader to explore the vast freely available literature. We cover
14 the four layers of the TCP/IP interconnection model in some detail
15 and look at a small subset of networking tools, including SSH. The
16 chapter concludes with a short overview of the Linux-specific Netlink
21 SECTION(«Network Layers»)
24 define(«nl_width», «260»)
25 define(«nl_height», «200»)
26 define(«nl_box_width», «100»)
27 define(«nl_text_offset», «110»)
28 define(«nl_box_height», «eval((nl_height() - 10) / 5)»)
29 define(«nl_layer_width», «eval(nl_box_width() / 4)»)
30 define(«nl_font_size», «15»)
31 dnl $1: layer (link/internet/transport/application)
32 dnl $2: box number (0-4), $3: row-span, $4: column-span, $5: color
37 ifelse(«$1», «link», «x="1"»)
38 ifelse(«$1», «internet», «x="eval(1 + nl_layer_width())"»)
39 ifelse(«$1», «transport», «x="eval(1 + nl_layer_width() * 2)"»)
40 ifelse(«$1», «application», «x="eval(1 + nl_layer_width() * 3)"»)
41 y="eval($2 * nl_box_height())"
42 height="eval($3 * nl_box_height())"
43 width="nl_layer_width()"
47 dnl $1: box number (see nl_box()), $2: text
51 y="eval($1 * nl_box_height() + nl_box_height() / 2)"
52 font-size="nl_font_size()"
59 width="nl_width()" height="nl_height()"
61 xmlns="http://www.w3.org/2000/svg"
62 xmlns:xlink="http://www.w3.org/1999/xlink"
64 nl_box(«link», «0», «1», «#a22»)
65 nl_box(«link», «1», «3», «#7e5»)
66 nl_box(«link», «4», «1», «blue»)
67 nl_box(«internet», «1», «1», «yellow»)
68 nl_box(«internet», «2», «2», «#7e5»)
69 nl_box(«transport», «2», «1», «orange»)
70 nl_box(«transport», «3», «1», «#7e5»)
71 nl_box(«application», «3», «1», «#7e5»)
72 nl_text(«0», «Frame Header»)
73 nl_text(«1», «IP Header»)
74 nl_text(«2», «TCP/UDP Header»)
76 nl_text(«4», «Frame Footer»)
80 <p> The <em> Open Systems Interconnection </em> (OSI) model describes
81 network communication by subdividing the data flow into <em>
82 abstraction layers</em>. This model was published as an ISO standard
83 in 1984 and comprises seven independent layers. A similar model with
84 only four layers, known as the <em> TCP/IP interconnection model</em>,
85 was proposed in RFC 1122 (1989). The TCP/IP model does not consider
86 physical specifications, so it has no counterpart to the <em> physical
87 layer </em> of the OSI model. Moreover, the three top layers in the
88 OSI model are not distinguished in the TCP/IP model. </p>
90 <p> The four layers of the TCP/IP model (<em>link, internet,
91 transport</em>, and <em> application</em>) are illustrated in the
92 diagram on the left. The link layer receives the full ethernet frame
93 (left column). It reads and interprets the frame header (red) and
94 footer (blue), and regards the remaining part as data (green), to be
95 passed uninterpreted to the next layer. The internet layer (second
96 column) expects an IP packet and interprets the first part of the data
97 as the IP header (yellow). It hands off the rest as a TCP/UDP packet to
98 the transport layer (third column) which in turn reads and strips off
99 its header (orange). The application layer only sees the green part in
100 the fourth column. Each layer is discussed in a dedicated section. </p>
105 <li> RFC is short for <em> Request for Comments</em>. Make yourself
106 familiar with this concept. </li>
108 <li> Search the web for "RFC 822" to get an idea how an RFC looks
111 <li> Discuss the pros and cons of many abtraction layers. </li>
114 SECTION(«Link Layer»)
116 <p> The local network connection of a host is called its <em> link</em>.
117 The <em> link layer </em> is responsible for transmitting packets
118 between two hosts on the same link, that is, between directly connected
119 nodes. The link layer includes the protocols which maintain link states
120 such as the <em> Address Resolution Protocol </em> (ARP). Several
121 <em> link types </em> exist, the ubiquitous <em> ethernet </em> being
122 the only one to be discussed here. For ethernet links, the protocol
123 is specified in terms of the <em> media access control </em> (MAC)
124 addresses of ethernet frames. <p>
126 SUBSECTION(«Ethernet Bridging»)
128 <p> An <em> ethernet bridge </em> connects two or more networks by relaying
129 ethernet frames between the participating devices. This is described
130 in an official standard, the first revision of which was published in
131 1990. This standard can be implemented within a dedicated hardware
132 device, for example a <em> network switch</em>, or in software as
133 part of the operating system. Many soft- and hardware implementations
134 exist, which are compatible to each other as they all implement the
135 same protocol. Since ethernet bridges operate on the link layer, they
136 are transparent to higher level protocols like IP. </p>
138 <p> At the core of each bridge implementation there is the <em> forwarding
139 database </em> whose entries are indexed by the MAC addresses that have
140 recently been seen. Each time the bridge receives an ethernet frame,
141 the destination MAC address is looked up in the database to determine
142 the device to which the frame should be relayed. If no entry exists,
143 the frame is sent to <em> all </em> devices except the one it came
144 from, with the expectation that all devices but one will ignore the
145 frame. This is called <em> flooding</em>. From the source address
146 of the (single) reply a new database entry is created. This prevents
147 further flooding. Entries are removed from the database by aging: If
148 no frames have been received from a MAC address for the duration of a
149 time interval called <em> aging time</em>, the entry is removed from
152 <p> The Linux ethernet bridge implementation dates back to 1999. Two
153 different tools are available to create and configure bridges: <code>
154 brctl(8) </code> and <code> bridge(8)</code>. The exercises of this
155 section aim to get the reader started with both tools. </p>
157 SUBSECTION(«Virtual Ethernet Interfaces»)
159 <p> A bridge can accommodate physical devices like <code> eth0 </code>
160 as well as virtual devices. On Linux systems the common approach
161 to equip virtual machines with network interfaces employs the <em>
162 virtual ethernet </em> (veth) device driver. This driver provides
163 virtual pairs of devices where each pair represents an ethernet
164 tunnel. Ethernet frames received by one end appear on its pair. To
165 set up the network interface for a virtual machine, one end of the
166 pair is added to a bridge on the host system while the other end
167 represents the ethernet device of the virtual machine. </p>
171 <li> Determine the MAC address of the first ethernet device of your
174 <li> How many times faster has ethernet become since its first protocol
175 version that supported a transfer rate of 2.94 Mbit/s in 1973? </li>
177 <li> Explain why bridges can not be detected by tools like <code>
178 traceroute(1) </code> or <code> tracepath(8)</code>. </li>
180 <li> Hardware ethernet bridges are called switches because they
181 relay ethernet frames by using a technique called <em> packet
182 switching</em>. Define this term. </li>
184 <li> The <code> arp(8) </code> command prints the kernel's network
185 neighbour cache. Explain the purpose of this cache and the difference
186 to the forwarding database of an ethernet bridge. </li>
188 <li> Network devices can be set into <em> promiscuous
189 mode</em>. Explain what this means, why interfaces which belong
190 to an ethernet bridge need to be set into promiscuous mode,
191 and the consequences of this fact. </li>
193 <li> On your local computer, shut down the <code> eth0 </code>
194 interface, create a bridge and add <code> eth0 </code> to the bridge.
195 Then configure the bridge device in the same way the physical interface
196 was configured before. Run <code>brctl showmacs </code> to see MAC
197 addresses and the aging timer. </li>
199 <li> Create a virtual ethernet pair by running <code> ip link add v1
200 type veth peer name v2</code> and bring up the two interfaces with
201 <code> ip link set up v1 </code> and similar for <code> v2</code>. Add
202 the <code> v1 </code> end to the bridge. Configure an IP address on
203 the <code> v2 </code> end of the pair (<code>ip addr add 192.168.42.42
204 dev v2</code>). Add an entry for the IP routing table with <code>
205 ip route add 192.168.42.42/32 dev v2</code>. Start the <code> nc(1)
206 </code> tool in listening mode and send IP traffic through the bridge
207 by starting <code> nc(1) </code> a second time to connect to <code>
208 192.168.42.42</code>. </li>
215 <li> Recall how the <em> spanning tree algorithm</em> works. Explain
216 how the spanning tree algorithm is employed in the <em> spanning
217 tree protocol </em> (STP). Name two reasons for activating STP in a
220 <li> The <em> rapid spanning tree protocol </em> (RSTP) is the
221 successor of the traditional STP. Explain the difference between the
224 <li> In each bridged network, there is one bridge which
225 plays a special role: the so-called <em> root bridge</em>.
226 Explain the purpose of the root bridge and how it is determined
227 among the bridges of the network. </li>
229 <li> Linux offers two different tools to configure ethernet bridges:
230 <code> brctl(8) </code> and <code> bridge(8)</code>. Compare the
231 feature sets of these tools. </li>
237 SECTION(«Internet Layer»)
239 <p> These days the term "internet" has acquired a rather broad meaning
240 in that it refers to all kind of network services. However, in
241 the context of the TCP/IP interconnection model, the <em> internet
242 layer </em> is named aptly because its purpose is to send packets
243 across different networks, thereby enabling inter-networking. More
244 precisely, packets are <em> routed </em> from the source network to
245 the destination network, where both networks are identified by <em>
246 IP interface addresses</em>. Although both the prevalent IPv4 and the
247 next-generation IPv6 variant are being deployed actively worldwide,
248 we shall only discuss IPv4 here. </p>
250 <p> The first part of each IP packet is the <em> IP header</em>, which is
251 usually 20 byte long. Besides the source and destination addresses,
252 it contains an 8 bit protocol number which refers to the data portion
255 <p> IP only provides an <em> unreliable </em> datagram transmission
256 facility, which means that packets may be lost, arrive multiple times,
257 or out of order. Moreover, packets can be fragmented or defragmented. </p>
262 <li> How many different IPv4 addresses exist? </li>
264 <li> Visit <a href="https://www.meineip.de">this page</a> which
265 claims to show the IP address of your computer. Check if the result
266 was correct by running <code> ip addr show</code>. Run <code> host
267 a.b.c.d </code> for the IP addresses and discuss the result. </li>
269 <li> What is the difference between the <em> maximum transmission
270 unit </em> (MTU) and the <em> path MTU</em>? </li>
272 <li> Describe the purpose of the <em> Internet Control Message Protocol
273 </em> (ICMP) and its relationship to IP. </li>
275 <li> Byte 9 of the header of an IP packet is the so-called <em>
276 time to live </em> (TTL) field, which is initially set to 64 by
277 the sender. Explain the purpose of this field. </li>
279 <li> Explain the connection between the TTL and the <em> Internet
280 Control Message Protocol </em> (ICMP). </li>
282 <li> What is a netmask in an IPv4 network? What is the purpose of the
283 netmask? Why is the network part of an IP address also called <em>
284 routing prefix</em>? </li>
286 <li> On any host, run <code> ifconfig </code> and <code> ip addr
287 show</code>. Both commands print the netmask of each network, but
288 in different ways. Explain which part of the output of the <code>
289 ip </code> command contains the netmask. </li>
294 Discuss the security implications of network services which are based
295 on MAC addresses or IP addresses alone.
297 Both the IP address and the MAC address are trivial to fake. So they
298 should never be used to authenticate a user or a device on a network
299 to which potential attackers have physical access, i.e., untrusted
300 devices can be connected.
305 Illustrate how <em> network address translation </em> (NAT) works
306 on the basis of a web search initiated from a desktop computer in a
307 local network and discuss the implications that NAT has on privacy.
311 <p> The desktop is configured to route packets which are not destined
312 for the local network through a dedicated machine, called the <em>
313 router</em>. In particular, all internet traffic is sent to the router.
314 The router has two IP addresses: one address in the local network
315 and a public NAT address. As traffic passes from the desktop through
316 the router to the web server in the internet, the source address of
317 each IP packet (the local address of the desktop) is changed on the
318 fly to the public NAT address of the router. The router tracks each
319 active connection. When a reply arrives at the router, it uses the
320 connection tracking data stored during the outbound phase to determine
321 the address in the local network to which to forward the reply. This
322 time it overwrites the destination address of the IP packet with the
323 local address of the desktop. </p>
325 <p> NAT can be seen as providing a kind of privacy mechanism because
326 machines on the internet cannot monitor which hosts are sending and
327 receiving traffic. They only see the NAT address. NAT has also
328 downsides though: Pinpointing the source of a problem becomes harder,
329 and encryption becomes more difficult. For example you can not encrypt
330 the IP address because the router must be able to change it. </p>
335 Run <code> tracepath wikipedia.org</code>. Explain how this command
336 works and how it can be used to identify networking problems.
339 SECTION(«Transport Layer»)
341 <p> The protocols of the transport layer provide message transfer services
342 which are on one hand independent of the underlying network type,
343 and on the other hand independent of the application. Different
344 network services on running on the same host are distinguished by
345 <em> port numbers</em>, which are 16 bit identifiers. Several well
346 known port numbers are are associated with specific applications.
347 The two dominant transport layer protocols on top of IP, TCP and UDP,
348 are discussed in the following subsections. </p>
350 SUBSECTION(«The User Datagram Protocol»)
352 <p> The <em> User Datagram Protocol </em> (UDP) is the simplest
353 transport-layer protocol, built as a thin layer on top of IP. For this
354 reason, it offers only the same best-effort service as IP itself. For
355 example, there is no detection of duplicate or reordered packets,
356 no protection against packet loss or network congestion. However,
357 UDP generates checksums to catch transmission errors. Being a
358 connectionless protocol, only minimal internal state about the
359 connection is maintained. This makes UDP suitable for applications
360 which need to avoid the overhead of setting up a TCP connection, or
361 in situations where on-time arrival is more important than reliability. </p>
363 SUBSECTION(«The Transmission Control Protocol»)
365 <p> The <em> Transmission Control Protocol </em> (TCP) provides reliable,
366 ordered delivery of a stream and a classic window-based congestion
367 control. In contrast to UDP, TCP provides a stream which is independent
368 of any packet boundaries. TCP is used extensively by many applications.
369 Besides HTTP (the Hypertext Transfer Protocol), also FTP (the File
370 Transfer protocol), SMTP (Simple Mail Transfer Protocol), SSH (Secure
371 Shell) all sit on top of TCP. </p>
376 <li> Check <code> /etc/services </code> and find the TCP port
377 numbers for http (web), ssh and smtp (email).
379 <li> Run <code> ls /proc/sys/net/ipv4/udp* </code> and <code> ls
380 /proc/sys/net/ipv4/tcp* </code> to see the available UDP and TCP
381 parameter settings, and to compare the complexity of UDP and TCP. </li>
383 <li> Run <code> netstat -pant </code> to see active TCP sockets. </li>
385 <li> Run <code> nmap localhost </code> to determine the listening
388 <li> Run netcat in TCP listening mode: <code> nc -l $((19853 +
389 UID)))</code>. Invite your neighbour to chat with you by connecting
390 to your netcat process. </li>
392 <li> Read section 3.1 of RFC 793 (Transmission Control Protocol,
393 1981) to get an idea of the format of a TCP header, particularly the
394 control bits called ACK, RST, SYN and FIN. </li>
396 <li> The name "SYN" for one of the control bits of the TCP header
397 stands for <em> synchronize</em>. What is being synchronized when
398 this bit is set? And why does it need to be synchronous in the first
401 <li> Make yourself familiar with the 3-way TCP handshake also described
402 in RFC 793. Why is it called a 3-way handshake? </li>
404 <li> Run <code> ip tcpmetrics </code> to see recent TCP peers and
405 discuss the output. </li>
411 <li> UDP is said to be <em> datagram-oriented</em> while TCP is <em>
412 stream-oriented</em>. Define both terms and explain the implications
413 for application writers. </li>
415 <li> Explain how TCP achieves its goal of controlling the transmission
418 <li> Explain how the "SYN flooding" denial-of-service attack works and
419 how SYN cookies mitigate this attack. </li>
421 <li> Explain the idea behind TFO (TCP fast open). </li>
423 <li> In contrast to TCP, UDP is a <em> connectionless </em> protocol. In
424 particular, there is no handshake necessary to establish a
425 connection. Describe the pros and cons of this fact. </li>
427 <li> Explain, in no more than two sentences, the idea behind a port
430 <li> What's a half-open TCP connection? What's a half-open TCP
431 port scan? Explain why half-open TCP port scans are reasonably
434 <li> Express your opinion on whether performing an unsolicited TCP
435 port scan should be considered a criminal act. </li>
439 SECTION(«Application Layer»)
441 <p> Application layer protocols define how the server side of a network
442 service communicates with clients that connect to the server by
443 connecting a specific TCP or UDP port. Services are often associcated
444 with port numbers which can be registred at the <em> Internet Assigned
445 Numbers Authority </em> (IANA). </p>
447 <p> Examples for application layer protocols which are employed on top of
448 TCP are the <em> Hypertext Transfer Protocol </em> (HTTP, port 80)
449 and the <em> Secure Shell Protocol </em> (SSH, port 22). On top of
450 UDP sit the <em> Domain Name System </em> (DNS, port 53), the <em>
451 Dynamic Host Configuration Protocol </em> (DHCP, ports 67 and 68)
452 and the <em> Network Time Protocol </em> (NTP, port 123). </p>
454 <p> We won't discuss any specific application layer protocols here. Instead,
455 we look at some client programs. </p>
457 SUBSECTION(«The Name Service Switch»)
459 <p> Every Unix system needs a couple of (usually small) system databases
460 for proper operation. Besides the user database, there are other
461 databases for Unix group membership, the known hosts, network
462 protocols, and more. Traditionally, there was only a single source for
463 this information in the form of a configuration file per database, for
464 example <code> /etc/hosts</code> for the hosts database. The format of
465 each database file is described in the POSIX standard and in section
466 5 of the user manuals. This approach works well if the databases
467 and the number of hosts which need to share the same databases are
468 small. Larger organizations, however, have a need to maintain this
469 information centrally by means of some network service. The <em>
470 Lightweight Directory Access Protocol </em> (LDAP) and the <em>
471 Domain Name System </em> (DNS) are popular choices for the user
472 and the host/domain databases. Often the entries of the centralized
473 network database have to be merged with the entries of the local file
474 in <code> /etc</code>. This calls for a flexible method which lets the
475 administrator specify the sources of information and the search order.
476 Sun Microsystems came up with a clean solution to this problem named
477 <em> Name Service Switch </em> (NSS) for the Solaris operating system.
478 This solution was ported to most other Unix operating systems. The
479 implementation used on GNU/Linux systems is part of the <em> GNU
480 C Library </em> (glibc). The central configuration file for NSS is
481 <code> /etc/nsswitch.conf</code>. </p>
483 SUBSECTION(«Advanced SSH Features»)
485 <p> SSH, the <em> secure shell</em>, is a popular client/server software
486 package for logging into a remote machine. The name is a little
487 misleading, though. For one, SSH is not a shell; it merely provides
488 a method to <em> run </em> a shell. Second, it can do much more than
489 just log in and start the shell. It features a secure encrypted
490 communication channel between two hosts, and this channel can be
491 utilized in interesting ways on both ends. In the exercises we look
492 at TCP port forwarding, some useful configuration options, and public
493 key authorization. </p>
499 <li> Inspect <code> /etc/resolv.conf </code> to get the IP address
500 of your nameserver(s). Then run <code> dig @$IP $DOMAIN MX </code>
501 where <code> $IP </code> is the nameserver IP address, and <code>
502 $DOMAIN </code> is the domain of your email adress, e.g. <code>
503 tuebingen,mpg.de</code>. Determine the hostname of the mail server
504 from the output and run <code> nc $MAILHOST 25 </code> to send a mail
505 to yourself. Hint: <code> HELO $MAILHOST</code>, <code> mail from:
506 <$LOGNAME@$DOMAIN></code>, <code> rcpt to: <$LOGNAME@DOMAIN></code>,
507 <code> data</code>. </li>
509 <li> Edit <code> /etc/passswd</code>, <code> /etc/shadow</code>,
510 and <code> /etc/group </code> to manually create a user account.
511 Use the <a href="«#»cryptout.c">cryptout</a> program below to
512 generate the second field of <code> /etc/shadow </code> containing
513 the encrypted password. </li>
515 <li> Understand the <code> hosts </code> line in <code>
516 /etc/nsswitch.conf</code>. </li>
518 <li> Does <code> host $HOSTNAME </code> always print the same IPv4
519 address as <code> ping $HOSTNAME</code>? </li>
521 <li> Run <code> nc localhost 22 </code> to determine the SSH server
524 <li> Forward the TCP port 12345 of your local machine to an
525 internal server using ssh's <code> -L </code> option for local port
526 forwarding. Check that you can log in with <code> ssh -p 12345
527 localhost</code>. </li>
529 <li> Search the <code>ssh_config(5)</code> man page for <code>
530 NoHostAuthenticationForLocalhost </code> and ponder if it is a good
531 idea to set this to <code> yes</code>. </li>
533 <li> Add <code> Host </code> and <code> Hostname </code> entries
534 to your ssh config file so that you can log in with <code> ssh
535 hostname</code>, even though <code> hostname </code> does not resolve
536 on your local network. </li>
538 <li> Create an ssh key pair and add the public part so that you can
539 log in without specifying a password. Discuss the security implications
542 <li> In an ssh session, type <code> ~C </code> to open the ssh command
543 prompt. Use a suitable <code> -L </code> command to add a local port
544 forward to the existing connection. Type <code> ~? </code> to see
545 the available escape sequences. </li>
547 <li> Add the lines <code> Host *.eb.local </code> and <code> ProxyJump
548 cgw.tuebingen.mpg.de </code> to your ssh config file. Then type <code>
549 ssh olt.eb.local</code>. Check <code> ssh(1) </code> to learn how
555 Explain the difference between local and remote port forwarding. Give
556 a typical example for either type of forwarding.
559 SECTION(«The Netlink Messaging System»)
561 <p> The various layers and protocols discussed earlier in this chapter
562 dealt with the communication between hosts which are connected by
563 a network. The Linux-specific <em>Netlink Interface</em>, however,
564 does not fit into this picture because it is a messaging system
565 for passing network-related information between the kernel and a
566 user space program, and vice-versa. Among other uses, tools like
567 <code>ip(8)</code> and <code>ifconfig(8)</code> employ Netlink
568 to configure network devices. Netlink is implemented on top of the
569 socket infrastructure, so the communication link between a user space
570 program and the kernel is estabished by means of the usual system calls
571 <code>socket(2)</code>, <code>bind(2)</code>, <code>connect(2)</code>,
572 and messages are transferred by calling <code>sendmsg(2)</code>
573 and <code>recvmsg(2)</code>. </p>
575 <p> There are several <em>netlink families</em> which select the
576 kernel subsystem to communicate with. We shall only be concerned
577 with the <code>NETLINK_ROUTE</code> family, which is used to
578 modify network routes, IP addresses, and more. The details of
579 <code>NETLINK_ROUTE</code> are described in <code>rtnetlink(7)</code>
580 while <code>netlink(7)</code> covers the general interface and the
581 currently assigned families. </p>
583 <p> A Netlink message starts with a 16 byte header as defined by
584 <code>struct nlmsghdr</code>. To report errors to userspace, Netlink
585 provides a message type that encapsulates an error header defined
586 by <code>struct nlmsgerr</code>. Both structures are declared in
587 in <code>include/linux/netlink.h</code>. Full Netlink messsages,
588 including the Netlink header are transferred. Therefore the user space
589 program has to implement a parser for both regular Netlink messages
590 and Netlink error messages, as well as a primitive for setting up
591 properly formatted Netlink messages to be sent to the kernel. Several
592 user space libraries aim to help the programmer with this repetetive
593 and error-prone task, the <em>minimalistic Netlink library</em>
594 (libmnl) being the most popular one. </p>
598 SUBSECTION(«cryptout.c»)
602 #include <stdlib.h>
603 #include <crypt.h>
604 #include <stdio.h>
605 #include <sys/random.h>
607 static const char set[] =
608 "abcdefghijklmnopqrstuvwxyz"
609 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
612 int main(int argc, char **argv)
614 unsigned char rnd[2], salt[2], *result;
618 if (getrandom(rnd, 2, 0) < 0)
620 salt[0] = set[rnd[0] & 63];
621 salt[1] = set[rnd[1] & 63];
622 result = crypt(argv[1], salt);
625 printf("%s\n", result);