Networking - kamialie/knowledge_corner GitHub Wiki

Kerberos is a network authentication protocol that uses secret key cryptography to provide authentication of credentials sent over the network.

CORS (Cross-Origin Resource Sharing) Origin in a scheme (protocol), host (domain) and port Web browser block different origin requests unless required headers are provided Access-Control-Allow-Origin

Origin is the website that the client is visiting, while Cross Origin is an address that the Origin asked client to request for some resources (backend, images, etc). Client makes a preflight request to Cross Origin (OPTIONS on root path, with origin field set to origin address), and Cross Origin have to respond with Access-Control-Allow-Origin set to origin and Access-Control-Allow-Methods with a list of allowed methods.

Unicast IP - one server holds one IP address

Anycast IP - all servers hold the same IP address, client is routed to the nearest one

https://ipaddressguide.com/cidr

Classless Inter-Domain Routing (CIDR) is IP range based on network masks.

Networking

X.509 (SSL/TLS)

SNI (Server Name Indication) - solves the problem of loading multiple certificates onto one web server to serve multiple websites. Requires client to indicate the hostname of the target server in the initial SSL/TLS handshake - server will find the correct certificate or return the default one.

Contents

Standards

IEEE - professional association, which amoing other things created many standards for many technologies

  • 802 - LAN technologies
  • 802.3 - Ethernet
  • 802.11 - WiFi

Cables

UTP cables:

  • straigh through - connecting device to a switch (other end reverses logic for transmitting and receiving)
  • crossover - (old way) connecting switch to a switch or device to device

Auto-MDIX detects the cable type, and adapts if needed

Operation modes:

  • full duplex (send and receive at the same time)
  • half duplex (one at a time)

Thus, two types of fiber cabling - single and dual cores.

Internet models

OSI stack:

TCP/IP (original, RFC 1122):

  • Application
  • Transport
  • Internet
  • Link

TCP/IP (current):

  • Application
  • Transport
  • Network
  • Data link
  • Physical

IP addressing

IPv4 classes:

  • A - first bit always 1, 3 octets for hosts
  • B - first two bits always 11, 2 octets for hosts
  • C - first three bit always 100, 1 octets for hosts
  • D - special purpose
  • E - special purpose

CIDR (Classless Inter Domain Routing) - using masks to determine host and network parts

VLSM (Variable Length Subnet Mask)

Broadcast address - all host bits are set (last address); special case 255.255.255.255 when host doesn't know it's ip address yet; routers do not forward broadcast, but they do forward multicast

Network address - all host bits are not set (first address)

RFC 1918 - private addresses

  • 10.0.0.0 /16
  • 172.16.0.0 /20
  • 192.168.0.0 /24

TCP/UDP

TCP (RFC 793)

3-way handshake initialization:

  • port numbers
  • ISN (initial sequence number) - random for security purposes
  • window size - how many bytes, thus, segments can send before acknowledging

Window size can adapt to network performance - less dropped segments, bigger window can be set for the next acknowledgement, and vice versa. Receiver could also set window size to zero to indicate sender that it is overwhelmed, effectively making a pause.

UDP (RFC 768)

5 tuple (unique info on connection)

  • local ip
  • local port
  • remote ip
  • remote port
  • protocol

Ethernet

48 bits long MAC address:

  • first 24 - Organization Unique Identifier (OUI) is assigned by IEEE
  • second 24 - vendor assigned

ffff.ffff.ffff.ffff - broadcast address

There are many multicast addresses (look up)

Carrier Sense Multiple Access (CSMA)

  • Collision Avoidance (CSMA/CA) - try to determine when network is idle, then send the packet
  • Collision Detection (CSMA/CD) - when collision is detected, device waits random amount of time for another attempt

Bridge functions:

  • flooding
  • learning
  • forwarding
  • filtering
  • aging

Switch operation modes (determined by manufacturer):

  • store and forward - get the full frame, then forward
  • cut through - wait enough to get the destination address, then forward immediately (no error checking performed)
  • fragment free - get and check first 64 bits, if not error, forward everything immediately

CAM table

VLAN

Layer 2 technology, but other layers communicate with it, like layer 3. Typically one subnet per VLAN.

Each VLAN has an 12 bit ID (first and last one are reserved).

VLAN tagging is used to split large network into smaller VLANs. Multiple switches are connected to each other and use just a single physical connection (trunk link) to carry on VLANs. Ethernet frame adds VLAN tag (id) to the frame to forward it to the other switch, which strips it out when it gets it.

Native VLAN is simply a VLAN that doesn't add a VLAN tag on the trunk port on sending end and the one that receives untagged frames on the receiving end. That's why it is crucial to set the same VLAN as native on both ends.

CDP protocol is used by Cisco switches to learn info about each other (control traffic). LLDP is vendor neutral protocol for control messages.

Routers also use trunk port to connect multiple VLANs through single connection. Subinterfaces are used to map each VLAN and configer them separately (subinterface acts like a normal interface).

ACL

Access Control List - is a prioritized entry list that is used to permit or deny traffic. Each entry is called ACE. Default implicit deny all entry at the end. First matched rule determines the action.

Example of extended ACL:

10 permit tcp any any eq 443
20 permit tcp 10.0.0.0 0.0.0.255 any eq 80
30 deny tcp any any eq80
40 deny ip host 10.0.0.1 any
50 permit icmp any any

Rule 20 makes use of wildcard mast, which specifies which part of IP address is irrelevant (can match anything).

Numbered ACLs:

  • 0-99 - IP standard ACL
  • 100 - 199 - IP extended ACL
  • 1300-1999 - IP standard ACL (extended)
  • 2000-2699 - IP extended ACL (extended)

ARP

Address Resolution Protocol is used to acquire MAC addresses in a LAN. Sender broadcasts the message that includes the information of which IP address to match and where to send the respond.

  • Reverse ARP (RARP) - to find IP address matching to a known MAC addres
  • Gratiutous ARP (GARP) - a device informs LAN about IP change or just an IP on bootup (also prevents IP conflicts)

DHCP

On initial connection a device sends a broadcast with DCHP DISCOVER message that is received by DHCP server (ports 67/68?). Server responds with OFFER message containing IP address that it had reserved (client can get multiple offers from multiple servers). Client then sends the REQUEST message (chooses between multiple offers if necessary) and server finally officially allocates the IP address and responds with ACKNOWLEDGEMENT message. This is an example of dynamic allocation, while static allocation means DHCP server already had a reserved entry for specific client.

IP address has a lease period (which is included in OFFER response), by the end of which DHCP server will put the address back to available pool. Client will attempt to renew the lease half way the period.

DHCP can also share extra info through options, like router (3) (default gateway), DNS server (6), Domain name (15), TFTP server (150).

RFC 2131 - for details

DHCP relay is used when DHCP server is behind a router (broadcast message won't reach it). In this case configure router's interface to direct DHCP messages directly to DHCP server on another network segment.

DNS

Translates human-friendly hostnames to IP addresses. Uses hierarchical naming structure - api.example.com -> example.com -> .com.

Zone file contains DNS records.

Fully Qualified Domain Name (FQDN) is the complete address of an internet host. Doesn't include TCP/IP information, e.g. http, which would result in Uniform Resource Locator (URL).

Name Example
Root .
Top Level Domain .com.
Second Level Domain .example.com.
Sub Domain .www.example.com.
FQDN api.www.example.com.
Protocol http

Hosted zone is a container of records that defines how to route traffic to a domain and its subdomains.

  • public - answers queries on the internet
  • private - available only within internal network

Record types:

Type Description
A maps a hostname to IPv4
AAAA maps a hostname to IPv6
CNAME (alias) maps a hostname to another hostname - A or AAAA record; does not work for root domain
NS name servers (IP address) that can respond to DNS queries of hosted zone
C (CNAME, Alias) another name that points to the A record (thus, same IP)
MX (Mail Exchange)
SRV point to hostnames and ports of servers providing a specific service

All record types require TTL, except CNAME.

Authoritative name server will pretend it knows everything about particular entry and will not ask other servers for info, if there is no answer, while non-authoritative will.

Client sends DNS lookup request to port udp/53. DNS entries are then cached on client and have a TTL, after which records are discarded. Recursive query is when non-authoritative DNS server asks next one in chain that takes over the process and does what's necessary to get the entry and return it to DNS server that requested the info.

Root servers (13) are authoritative for root namespace and have info about DNS servers responsible for top domains (like .com, .org, etc). This is iterative query as first DNS asks root servers for root domain and other parts of the domain, until it find the final one that holds that entry.

Routing and traffic forwarding

Routing Information Protocol (RIP); RIPv1 for classful IPs, RIPv2 for classless

Longest Prefix Match (LPM) - in case when two subnets (thus, routes) fit the address router chooses the most specific (longest subnet mask)

Administrative Distance (AD) - any source of routing information (static, OSPF, RIP, etc) has its AD value, which acts as priority value (lower the value, higher the priority); highest priority value goes to routing table

Dynamic routing protocols:

  • distance vector (BGP, EIGRP, RIP) - collect info on routes and hops nearby, get distance (how far) and vector (which direction)
  • link state (OSPF, IS-IS) - collect info about all routes and hops, build a full map of a network, maintain a database of a full network

Passive interface does not send updates on a particular interface. Best practice is to set it as default on all interfaces and turn off on desired interfaces.

Authentication can be added through the use of keychains, which will be used to validate incoming updates.

Split horizon - propogate the received route everywhere, except the interface it was received from.

Convergence - recalculating paths when there is a change in the network

NAT

Dynamic NAT - NAT device has a pool of available IPs and assignes one dynamicaly, when there is a connection coming from inside network (configured beforehand as ACL list).

Port Address Translation (PAT) rewrites port numbers layer-4 header.

With simple NAT translation all ports of the original host are exposed to the outside world. When defining translation with port (PAT) only specified port is translated.

Port overloading (masquerading, many-to-one NAT) - each connection opened by inside device get unique port number, thus, many hosts can share one public IP.

NTP

Network Time Protocol (UDP/123)

NTP servers are organized into layers (stratums): stratum 0 is specializes hardware (atomic clocks), stratum 1 is the first level of NTP servers, stratum 2 is the next and so on. Closer to 0 more accurate the time is.

There are freely available NTP servers on the internet (pool.ntp.org).

Syslog

Severity levels: 0. Emergency - system unusable

  1. Alert - action must be taken immediately
  2. Critical - critical conditions
  3. Error - error conditions
  4. Warning - warning conditions
  5. Notice - normal but significant conditions
  6. Informational - informational messages
  7. Debug - debug-level messages

SNMP

Simple Network Management Protocol

2 management option (can use mixture of both):

  • regular polling of all devices by management server (UDP/161)
  • SNMP traps - devices themselves send worth reporting event (UDP/162)

Management Information Base (MIB) is a hierarchy of information that describes the components of the device to manage. Can download one for specific device to add it to SNMP server.

Object Identifier (OID) - is the end point of MIB, which represents particular metric. Can be represented as a number, where each part represents the MIB hierarchy.

Community strings

  • plain text used to identify group of devices, works pretty much like a password - management server can access data on devices only with a correct community string, which is supplied along with a SNMP request. "Private community string generally allows read-write access on the target device.

SNMP versions:

  • v1 - original
  • v2c - adds 64-bit counters (was 32 in v1)
  • v3 - adds encryption and authentication

Best practices:

  • use v3
  • if have to use v2, change default community strings
  • lock down IP that accepts SNMP requests (that is management server)
  • disable write access

STP

Spanning Tree Protocol operates at layer 2 (which doesn't have built-in loop prevention) and strategically disables the connection that creates a loop.

Bridge Protocol Data Unit (BPDU)

  • configuration BPDU - is sent out by root switch to learn about all switches around
  • [] - add later

In Spanning Tree topology one switch is designated as root. It sends out configuration BPDUs (with bridge ID) and all switches are then able to start making decision. The closer to the root port is called root, other way - designated. Disabled port based on STP is called blocked. Blocking is done only on one end (higher bridge ID) and is based on the link's cost (based on speed). Each link has it's cost, thus, the biggest total till root must be blocked.

Port come up process:

  • blocking (20s) - everything except BPDU, port is blocking state
  • Listening (15s) - processes incoming BPDUs to learn about network, port becomes root, designated or back to blocking
  • Learning (15s) - learns MAC addresses and builds MAC address table
  • Forwarding - regular traffic can go through

Flavours:

  • Classic STP (802.1D)
  • Per-VLAN ST: PVST/PVST+ (Cisco)
  • Rapid ST: RSTP (802.1W)
  • Rapid Per-VLAN ST: RPVST+ (Cisco)
  • Multiple ST: MST (802.1S)

Tools

ifconfig.co, ifconfig.me return IP address of the calling host.

netstat

# List connections owned by processes, protocol used and connection status
$ netstat -ano

# List open (listening) ports
$ netstat -tulp

route

traceroute

-n saves time by disabling nameserver address-to-name lookup

curl

To imitate host value (proper DNS) pass it as a header:

$ curl http://$IP:$PORT/<path> --header 'Host: <some_host>'

Test self-signed certificate without registered DNS record:

$ curl https://<custom_host>:$PORT/ --resolve <custom_host>:$PORT:$IP --insecure

Find out your public IP:

$ curl ifconfig.io

Certification

Learning resources

⚠️ **GitHub.com Fallback** ⚠️