3 Network down, IP packets delivered via UPS. -- BOFH excuse #427
9 Networking is a complex and diverse area of computer science. This page
10 can only scratch the surface of some essential networking concepts,
11 aiming to convey enough background knowledge to understand more
12 specific and thorough articles on the subject matter and to encourage
13 the reader to explore the vast freely available literature. We cover
14 the four layers of the TCP/IP interconnection model in some detail
15 and look at a small subset of networking tools, including SSH. The
16 chapter concludes with a short overview of the Linux-specific Netlink
21 SECTION(«Network Layers»)
24 define(«nl_width», «260»)
25 define(«nl_height», «200»)
26 define(«nl_box_width», «100»)
27 define(«nl_text_offset», «110»)
28 define(«nl_box_height», «eval((nl_height() - 10) / 5)»)
29 define(«nl_layer_width», «eval(nl_box_width() / 4)»)
30 define(«nl_font_size», «15»)
31 dnl $1: layer (link/internet/transport/application)
32 dnl $2: box number (0-4), $3: row-span, $4: column-span, $5: color
37 ifelse(«$1», «link», «x="1"»)
38 ifelse(«$1», «internet», «x="eval(1 + nl_layer_width())"»)
39 ifelse(«$1», «transport», «x="eval(1 + nl_layer_width() * 2)"»)
40 ifelse(«$1», «application», «x="eval(1 + nl_layer_width() * 3)"»)
41 y="eval($2 * nl_box_height())"
42 height="eval($3 * nl_box_height())"
43 width="nl_layer_width()"
47 dnl $1: box number (see nl_box()), $2: text
51 y="eval($1 * nl_box_height() + nl_box_height() / 2)"
52 font-size="nl_font_size()"
59 width="nl_width()" height="nl_height()"
61 xmlns="http://www.w3.org/2000/svg"
62 xmlns:xlink="http://www.w3.org/1999/xlink"
64 nl_box(«link», «0», «1», «#a22»)
65 nl_box(«link», «1», «3», «#7e5»)
66 nl_box(«link», «4», «1», «blue»)
67 nl_box(«internet», «1», «1», «yellow»)
68 nl_box(«internet», «2», «2», «#7e5»)
69 nl_box(«transport», «2», «1», «orange»)
70 nl_box(«transport», «3», «1», «#7e5»)
71 nl_box(«application», «3», «1», «#7e5»)
72 nl_text(«0», «Frame Header»)
73 nl_text(«1», «IP Header»)
74 nl_text(«2», «TCP/UDP Header»)
76 nl_text(«4», «Frame Footer»)
80 <p> The <em> Open Systems Interconnection </em> (OSI) model describes
81 network communication by subdividing the data flow into <em>
82 abstraction layers</em>. This model was published as an ISO standard
83 in 1984 and comprises seven independent layers. A similar model with
84 only four layers, known as the <em> TCP/IP interconnection model</em>,
85 was proposed in RFC 1122 (1989). The TCP/IP model does not consider
86 physical specifications, so it has no counterpart to the <em> physical
87 layer </em> of the OSI model. Moreover, the three top layers in the
88 OSI model are not distinguished in the TCP/IP model. </p>
90 <p> The four layers of the TCP/IP model (<em>link, internet,
91 transport</em>, and <em> application</em>) are illustrated in the
92 diagram on the left. The link layer receives the full ethernet frame
93 (left column). It reads and interprets the frame header (red) and
94 footer (blue), and regards the remaining part as data (green), to be
95 passed uninterpreted to the next layer. The internet layer (second
96 column) expects an IP packet and interprets the first part of the data
97 as the IP header (yellow). It hands off the rest as a TCP/UDP packet to
98 the transport layer (third column) which in turn reads and strips off
99 its header (orange). The application layer only sees the green part in
100 the fourth column. Each layer is discussed in a dedicated section. </p>
105 <li> RFC is short for <em> Request for Comments</em>. Make yourself
106 familiar with this concept. </li>
108 <li> Search the web for "RFC 822" to get an idea how an RFC looks
111 <li> Discuss the pros and cons of many abtraction layers. </li>
114 SECTION(«Link Layer»)
116 <p> The local network connection of a host is called its <em> link</em>.
117 The <em> link layer </em> is responsible for transmitting packets
118 between two hosts on the same link, that is, between directly connected
119 nodes. The link layer includes the protocols which maintain link states
120 such as the <em> Address Resolution Protocol </em> (ARP). Several
121 <em> link types </em> exist, the ubiquitous <em> ethernet </em> being
122 the only one to be discussed here. For ethernet links, the protocol
123 is specified in terms of the <em> media access control </em> (MAC)
124 addresses of ethernet frames. <p>
126 SUBSECTION(«Ethernet Bridging»)
128 <p> An <em> ethernet bridge </em> connects two or more networks by relaying
129 ethernet frames between the participating devices. This is described
130 in an official standard, the first revision of which was published in
131 1990. This standard can be implemented within a dedicated hardware
132 device, for example a <em> network switch</em>, or in software as
133 part of the operating system. Many soft- and hardware implementations
134 exist, which are compatible to each other as they all implement the
135 same protocol. Since ethernet bridges operate on the link layer, they
136 are transparent to higher level protocols like IP. </p>
138 <p> At the core of each bridge implementation there is the <em> forwarding
139 database </em> whose entries are indexed by the MAC addresses that have
140 recently been seen. Each time the bridge receives an ethernet frame,
141 the destination MAC address is looked up in the database to determine
142 the device to which the frame should be relayed. If no entry exists,
143 the frame is sent to <em> all </em> devices except the one it came
144 from, with the expectation that all devices but one will ignore the
145 frame. This is called <em> flooding</em>. From the source address
146 of the (single) reply a new database entry is created. This prevents
147 further flooding. Entries are removed from the database by aging: If
148 no frames have been received from a MAC address for the duration of a
149 time interval called <em> aging time</em>, the entry is removed from
152 <p> The Linux ethernet bridge implementation dates back to 1999. Two
153 different tools are available to create and configure bridges: <code>
154 brctl(8) </code> and <code> bridge(8)</code>. The exercises of this
155 section aim to get the reader started with both tools. </p>
157 SUBSECTION(«Virtual Ethernet Interfaces»)
159 <p> A bridge can accommodate physical devices as well as virtual
160 devices. On Linux systems the common approach to equip virtual machines
161 with network interfaces employs the <em>virtual ethernet</em> device
162 driver, veth. This driver provides virtual pairs of devices where
163 each pair represents an ethernet tunnel. Ethernet frames received
164 by one end appear on its peer. To set up the network interface for
165 a virtual machine, one end of the pair is added to a bridge on the
166 host system while the other end represents the ethernet device of
167 the virtual machine. </p>
171 <li> Determine the MAC address of the first ethernet device of your
174 <li> How many times faster has ethernet become since its first protocol
175 version that supported a transfer rate of 2.94 Mbit/s in 1973? </li>
177 <li> Explain why bridges can not be detected by tools like <code>
178 traceroute(1) </code> or <code> tracepath(8)</code>. </li>
180 <li> Hardware ethernet bridges are called switches because they
181 relay ethernet frames by using a technique called <em> packet
182 switching</em>. Define this term. </li>
184 <li> The <code> arp(8) </code> command prints the kernel's network
185 neighbour cache. Explain the purpose of this cache and the difference
186 to the forwarding database of an ethernet bridge. </li>
188 <li> Network devices can be set into <em> promiscuous
189 mode</em>. Explain what this means, why interfaces which belong
190 to an ethernet bridge need to be set into promiscuous mode,
191 and the consequences of this fact. </li>
193 <li> On your local computer, shut down the <code> eth0 </code>
194 interface, create a bridge and add <code> eth0 </code> to the bridge.
195 Then configure the bridge device in the same way the physical interface
196 was configured before. Run <code>brctl showmacs </code> to see MAC
197 addresses and the aging timer. </li>
199 <li> Create a virtual ethernet pair by running <code> ip link add v1
200 type veth peer name v2</code> and bring up the two interfaces with
201 <code> ip link set up v1 </code> and similar for <code> v2</code>. Add
202 the <code> v1 </code> end to the bridge. Configure an IP address on
203 the <code> v2 </code> end of the pair (<code>ip addr add 192.168.42.42
204 dev v2</code>). Add an entry for the IP routing table with <code>
205 ip route add 192.168.42.42/32 dev v2</code>. Start the <code> nc(1)
206 </code> tool in listening mode and send IP traffic through the bridge
207 by starting <code> nc(1) </code> a second time to connect to <code>
208 192.168.42.42</code>. </li>
215 <li> Recall how the <em> spanning tree algorithm</em> works. Explain
216 how the spanning tree algorithm is employed in the <em> spanning
217 tree protocol </em> (STP). Name two reasons for activating STP in a
220 <li> The <em> rapid spanning tree protocol </em> (RSTP) is the
221 successor of the traditional STP. Explain the difference between the
224 <li> In each bridged network, there is one bridge which
225 plays a special role: the so-called <em> root bridge</em>.
226 Explain the purpose of the root bridge and how it is determined
227 among the bridges of the network. </li>
229 <li> Linux offers two different tools to configure ethernet bridges:
230 <code> brctl(8) </code> and <code> bridge(8)</code>. Compare the
231 feature sets of these tools. </li>
237 SECTION(«Internet Layer»)
239 <p> These days the term "internet" has acquired a rather broad meaning
240 in that it refers to all kind of network services. However, in
241 the context of the TCP/IP interconnection model, the <em> internet
242 layer </em> is named aptly because its purpose is to send packets
243 across different networks, thereby enabling inter-networking. More
244 precisely, packets are <em> routed </em> from the source network to
245 the destination network, where both networks are identified by <em>
246 IP interface addresses</em>. Although both the prevalent IPv4 and the
247 next-generation IPv6 variant are being deployed actively worldwide,
248 we shall only discuss IPv4 here. </p>
250 <p> The first part of each IP packet is the <em> IP header</em>, which is
251 usually 20 byte long. Besides the source and destination addresses,
252 it contains an 8 bit protocol number which refers to the data portion
255 <p> IP only provides an <em> unreliable </em> datagram transmission
256 facility, which means that packets may be lost, arrive multiple times,
257 or out of order. Moreover, packets can be fragmented or defragmented. </p>
262 <li> How many different IPv4 addresses exist? </li>
264 <li> What is the difference between the <em> maximum transmission
265 unit </em> (MTU) and the <em> path MTU</em>? </li>
267 <li> Describe the purpose of the <em> Internet Control Message Protocol
268 </em> (ICMP) and its relationship to IP. </li>
270 <li> Byte 9 of the header of an IP packet is the so-called <em>
271 time to live </em> (TTL) field, which is initially set to 64 by
272 the sender. Explain the purpose of this field. </li>
274 <li> Explain the connection between the TTL and the <em> Internet
275 Control Message Protocol </em> (ICMP). </li>
277 <li> What is a netmask in an IPv4 network? What is the purpose of the
278 netmask? Why is the network part of an IP address also called <em>
279 routing prefix</em>? </li>
281 <li> On any host, run <code> ifconfig </code> and <code> ip addr
282 show</code>. Both commands print the netmask of each network, but
283 in different ways. Explain which part of the output of the <code>
284 ip </code> command contains the netmask. </li>
289 Discuss the security implications of network services which are based
290 on MAC addresses or IP addresses alone.
292 Both the IP address and the MAC address are trivial to fake. So they
293 should never be used to authenticate a user or a device on a network
294 to which potential attackers have physical access, i.e., untrusted
295 devices can be connected.
300 Illustrate how <em> network address translation </em> (NAT) works
301 on the basis of a web search initiated from a desktop computer in a
302 local network and discuss the implications that NAT has on privacy.
306 <p> The desktop is configured to route packets which are not destined
307 for the local network through a dedicated machine, called the <em>
308 router</em>. In particular, all internet traffic is sent to the router.
309 The router has two IP addresses: one address in the local network
310 and a public NAT address. As traffic passes from the desktop through
311 the router to the web server in the internet, the source address of
312 each IP packet (the local address of the desktop) is changed on the
313 fly to the public NAT address of the router. The router tracks each
314 active connection. When a reply arrives at the router, it uses the
315 connection tracking data stored during the outbound phase to determine
316 the address in the local network to which to forward the reply. This
317 time it overwrites the destination address of the IP packet with the
318 local address of the desktop. </p>
320 <p> NAT can be seen as providing a kind of privacy mechanism because
321 machines on the internet cannot monitor which hosts are sending and
322 receiving traffic. They only see the NAT address. NAT has also
323 downsides though: Pinpointing the source of a problem becomes harder,
324 and encryption becomes more difficult. For example you can not encrypt
325 the IP address because the router must be able to change it. </p>
330 Run <code> tracepath wikipedia.org</code>. Explain how this command
331 works and how it can be used to identify networking problems.
334 SECTION(«Transport Layer»)
336 <p> The protocols of the transport layer provide message transfer
337 services which are on one hand independent of the underlying network
338 type, and on the other hand independent of the application. Different
339 network services running on the same host are distinguished by
340 <em>port numbers</em>, which are 16 bit identifiers. Several well
341 known port numbers are are associated with specific applications.
342 The two dominant transport layer protocols on top of IP, TCP and UDP,
343 are discussed in the following subsections. </p>
345 SUBSECTION(«The User Datagram Protocol»)
347 <p> The <em> User Datagram Protocol </em> (UDP) is the simplest
348 transport-layer protocol, built as a thin layer on top of IP. For this
349 reason, it offers only the same best-effort service as IP itself. For
350 example, there is no detection of duplicate or reordered packets,
351 no protection against packet loss or network congestion. However,
352 UDP generates checksums to catch transmission errors. Being a
353 connectionless protocol, only minimal internal state about the
354 connection is maintained. This makes UDP suitable for applications
355 which need to avoid the overhead of setting up a TCP connection, or
356 in situations where on-time arrival is more important than reliability. </p>
358 SUBSECTION(«The Transmission Control Protocol»)
360 <p> The <em> Transmission Control Protocol </em> (TCP) provides reliable,
361 ordered delivery of a stream and a classic window-based congestion
362 control. In contrast to UDP, TCP provides a stream which is independent
363 of any packet boundaries. TCP is used extensively by many applications.
364 Besides HTTP (the Hypertext Transfer Protocol), also FTP (the File
365 Transfer protocol), SMTP (Simple Mail Transfer Protocol), SSH (Secure
366 Shell) all sit on top of TCP. </p>
371 <li> Check <code> /etc/services </code> and find the TCP port
372 numbers for http (web), ssh and smtp (email).
374 <li> Run <code> ls /proc/sys/net/ipv4/udp* </code> and <code> ls
375 /proc/sys/net/ipv4/tcp* </code> to see the available UDP and TCP
376 parameter settings, and to compare the complexity of UDP and TCP. </li>
378 <li> Run <code> netstat -pant </code> to see active TCP sockets. </li>
380 <li> Run <code> nmap localhost </code> to determine the listening
383 <li> Run netcat in TCP listening mode: <code> nc -l $((19853 +
384 UID)))</code>. Invite your neighbour to chat with you by connecting
385 to your netcat process. </li>
387 <li> Read section 3.1 of RFC 793 (Transmission Control Protocol,
388 1981) to get an idea of the format of a TCP header, particularly the
389 control bits called ACK, RST, SYN and FIN. </li>
391 <li> The name "SYN" for one of the control bits of the TCP header
392 stands for <em> synchronize</em>. What is being synchronized when
393 this bit is set? And why does it need to be synchronous in the first
396 <li> Make yourself familiar with the 3-way TCP handshake also described
397 in RFC 793. Why is it called a 3-way handshake? </li>
399 <li> Run <code> ip tcpmetrics </code> to see recent TCP peers and
400 discuss the output. </li>
406 <li> UDP is said to be <em> datagram-oriented</em> while TCP is <em>
407 stream-oriented</em>. Define both terms and explain the implications
408 for application writers. </li>
410 <li> Explain how TCP achieves its goal of controlling the transmission
413 <li> Explain how the "SYN flooding" denial-of-service attack works and
414 how SYN cookies mitigate this attack. </li>
416 <li> Explain the idea behind TFO (TCP fast open). </li>
418 <li> In contrast to TCP, UDP is a <em> connectionless </em> protocol. In
419 particular, there is no handshake necessary to establish a
420 connection. Describe the pros and cons of this fact. </li>
422 <li> Explain, in no more than two sentences, the idea behind a port
425 <li> What's a half-open TCP connection? What's a half-open TCP
426 port scan? Explain why half-open TCP port scans are reasonably
429 <li> Express your opinion on whether performing an unsolicited TCP
430 port scan should be considered a criminal act. </li>
434 SECTION(«Application Layer»)
436 <p> Application layer protocols define how the server side of a network
437 service communicates with clients that connect to the server by
438 connecting a specific TCP or UDP port. Services are often associcated
439 with port numbers which can be registred at the <em> Internet Assigned
440 Numbers Authority </em> (IANA). </p>
442 <p> Examples for application layer protocols which are employed on top of
443 TCP are the <em> Hypertext Transfer Protocol </em> (HTTP, port 80)
444 and the <em> Secure Shell Protocol </em> (SSH, port 22). On top of
445 UDP sit the <em> Domain Name System </em> (DNS, port 53), the <em>
446 Dynamic Host Configuration Protocol </em> (DHCP, ports 67 and 68)
447 and the <em> Network Time Protocol </em> (NTP, port 123). </p>
449 <p> We won't discuss any specific application layer protocols here. Instead,
450 we look at some client programs. </p>
452 SUBSECTION(«The Name Service Switch»)
454 <p> Every Unix system needs a couple of (usually small) system databases
455 for proper operation. Besides the user database, there are other
456 databases for Unix group membership, the known hosts, network
457 protocols, and more. Traditionally, there was only a single source for
458 this information in the form of a configuration file per database, for
459 example <code> /etc/hosts</code> for the hosts database. The format of
460 each database file is described in the POSIX standard and in section
461 5 of the user manuals. This approach works well if the databases
462 and the number of hosts which need to share the same databases are
463 small. Larger organizations, however, have a need to maintain this
464 information centrally by means of some network service. The <em>
465 Lightweight Directory Access Protocol </em> (LDAP) and the <em>
466 Domain Name System </em> (DNS) are popular choices for the user
467 and the host/domain databases. Often the entries of the centralized
468 network database have to be merged with the entries of the local file
469 in <code> /etc</code>. This calls for a flexible method which lets the
470 administrator specify the sources of information and the search order.
471 Sun Microsystems came up with a clean solution to this problem named
472 <em> Name Service Switch </em> (NSS) for the Solaris operating system.
473 This solution was ported to most other Unix operating systems. The
474 implementation used on GNU/Linux systems is part of the <em> GNU
475 C Library </em> (glibc). The central configuration file for NSS is
476 <code> /etc/nsswitch.conf</code>. </p>
478 SUBSECTION(«Advanced SSH Features»)
480 <p> SSH, the <em> secure shell</em>, is a popular client/server software
481 package for logging into a remote machine. The name is a little
482 misleading, though. For one, SSH is not a shell; it merely provides
483 a method to <em> run </em> a shell. Second, it can do much more than
484 just log in and start the shell. It features a secure encrypted
485 communication channel between two hosts, and this channel can be
486 utilized in interesting ways on both ends. In the exercises we look
487 at TCP port forwarding, some useful configuration options, and public
488 key authorization. </p>
494 <li> Inspect <code> /etc/resolv.conf </code> to get the IP address
495 of your nameserver(s). Then run <code> dig @$IP $DOMAIN MX </code>
496 where <code> $IP </code> is the nameserver IP address, and <code>
497 $DOMAIN </code> is the domain of your email adress, e.g. <code>
498 tuebingen,mpg.de</code>. Determine the hostname of the mail server
499 from the output and run <code> nc $MAILHOST 25 </code> to send a mail
500 to yourself. Hint: <code> HELO $MAILHOST</code>, <code> mail from:
501 <$LOGNAME@$DOMAIN></code>, <code> rcpt to: <$LOGNAME@DOMAIN></code>,
502 <code> data</code>. </li>
504 <li> Edit <code> /etc/passswd</code>, <code> /etc/shadow</code>,
505 and <code> /etc/group </code> to manually create a user account.
506 Use the <a href="«#»cryptout.c">cryptout</a> program below to
507 generate the second field of <code> /etc/shadow </code> containing
508 the encrypted password. </li>
510 <li> Understand the <code> hosts </code> line in <code>
511 /etc/nsswitch.conf</code>. </li>
513 <li> Does <code> host $HOSTNAME </code> always print the same IPv4
514 address as <code> ping $HOSTNAME</code>? </li>
516 <li> Run <code> nc localhost 22 </code> to determine the SSH server
519 <li> Forward the TCP port 12345 of your local machine to an
520 internal server using ssh's <code> -L </code> option for local port
521 forwarding. Check that you can log in with <code> ssh -p 12345
522 localhost</code>. </li>
524 <li> Search the <code>ssh_config(5)</code> man page for <code>
525 NoHostAuthenticationForLocalhost </code> and ponder if it is a good
526 idea to set this to <code> yes</code>. </li>
528 <li> Add <code> Host </code> and <code> Hostname </code> entries
529 to your ssh config file so that you can log in with <code> ssh
530 hostname</code>, even though <code> hostname </code> does not resolve
531 on your local network. </li>
533 <li> Create an ssh key pair and add the public part so that you can
534 log in without specifying a password. Discuss the security implications
537 <li> In an ssh session, type <code> ~C </code> to open the ssh command
538 prompt. Use a suitable <code> -L </code> command to add a local port
539 forward to the existing connection. Type <code> ~? </code> to see
540 the available escape sequences. </li>
542 <li> Add the lines <code> Host *.eb.local </code> and <code> ProxyJump
543 cgw.tuebingen.mpg.de </code> to your ssh config file. Then type <code>
544 ssh olt.eb.local</code>. Check <code> ssh(1) </code> to learn how
550 Explain the difference between local and remote port forwarding. Give
551 a typical example for either type of forwarding.
554 SECTION(«The Netlink Messaging System»)
556 <p> The various layers and protocols discussed earlier in this chapter
557 dealt with the communication between hosts which are connected by
558 a network. The Linux-specific <em>Netlink Interface</em>, however,
559 does not fit into this picture because it is a messaging system
560 for passing network-related information between the kernel and a
561 user space program, and vice-versa. Among other uses, tools like
562 <code>ip(8)</code> and <code>ifconfig(8)</code> employ Netlink
563 to configure network devices. Netlink is implemented on top of the
564 socket infrastructure, so the communication link between a user space
565 program and the kernel is estabished by means of the usual system calls
566 <code>socket(2)</code>, <code>bind(2)</code>, <code>connect(2)</code>,
567 and messages are transferred by calling <code>sendmsg(2)</code>
568 and <code>recvmsg(2)</code>. </p>
570 <p> There are several <em>netlink families</em> which select the
571 kernel subsystem to communicate with. We shall only be concerned
572 with the <code>NETLINK_ROUTE</code> family, which is used to
573 modify network routes, IP addresses, and more. The details of
574 <code>NETLINK_ROUTE</code> are described in <code>rtnetlink(7)</code>
575 while <code>netlink(7)</code> covers the general interface and the
576 currently assigned families. </p>
578 <p> A Netlink message starts with a 16 byte header as defined by
579 <code>struct nlmsghdr</code>. To report errors to userspace, Netlink
580 provides a message type that encapsulates an error header defined
581 by <code>struct nlmsgerr</code>. Both structures are declared in
582 in <code>include/linux/netlink.h</code>. Full Netlink messsages,
583 including the Netlink header are transferred. Therefore the user space
584 program has to implement a parser for both regular Netlink messages
585 and Netlink error messages, as well as a primitive for setting up
586 properly formatted Netlink messages to be sent to the kernel. Several
587 user space libraries aim to help the programmer with this repetetive
588 and error-prone task, the <em>minimalistic Netlink library</em>
589 (libmnl) being the most popular one. </p>
593 SUBSECTION(«cryptout.c»)
597 #include <stdlib.h>
598 #include <crypt.h>
599 #include <stdio.h>
600 #include <sys/random.h>
602 static const char set[] =
603 "abcdefghijklmnopqrstuvwxyz"
604 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
607 int main(int argc, char **argv)
609 unsigned char rnd[2], salt[2], *result;
613 if (getrandom(rnd, 2, 0) < 0)
615 salt[0] = set[rnd[0] & 63];
616 salt[1] = set[rnd[1] & 63];
617 result = crypt(argv[1], salt);
620 printf("%s\n", result);