Networking 102

Linux SysAdmin DeCal Fall 2018

Abizer Lokhandwala

Overview

• Models of Networks
• Addressing
• Configuration Files
• Network protocols
• Sysadmin Tools

OSI Model

or CS 168 in 10 minutes

Conceptual Model of Network Architecture

Conceptual Model: OSI

• Layers of Abstraction
• Layers communicate with corresponding layer across hosts
• Upper layers abstract lower layers, vice versa�
• Conceptual model, doesn’t always map to reality
• Other models (e.g. TCP/IP) exist�
• Packet Path
• Sending : top to bottom, app. -> physical
• Receiving: bottom to top, phys. -> application

OSI Layers - Metal

• Layer 1: physical media
• copper cables, lasers, radio waves (standards: 802.11(a,b,g,n,ac), 802.3ae)
• Iine codes (e.g. 8b/10b, 64b/66b) for clock recovery��
• Layer 2: data link layer
• connection: one NIC to another
• low-level hardware interface to physical media
• “fixed” MAC address hardcoded into device
• local routing: communication between physically-connected nodes
• ARP, NDP

OSI Layers - Kernel

• Layer 3 - Network Layer
• connection: one logical host to another
• logical addressing -> global routing
• packet delivery between different local networks, no reliability guarantee
• IP(v4|v6) are primary protocols, also ICMP, RIP, etc.�
• Layer 4 - Transport Layer
• connection: one service (on a host) to another
• options: reliable, connection-oriented transport (TCP), or connection-less (UDP)
• multiplexes several services into a single logical address

OSI Layers - Application

• Layer 5 - Session Layer
• not commonly used outside of RPC
• established common session information on top of reliable transport
• Layer 6 - Presentation Layer
• barely relevant anymore
• Layer 7 - Application Layer
• connection: application to application
• e.g. your web browser speaks HTTP (application) to a web server it has connected to over TCP (transport) via IPv6 (network) on wifi (link/phys)

Layers and tools available at each

Layer 2: link layer network interface

• Actual hardware* that lets you connect to a network
• Port and cable (ethernet) or antenna (wifi)
• may correspond to physical NICs or virtual devices, e.g. loopback interface, virtual bridge, etc.
• associated with MAC address
• On Linux, interfaces can be listed through ip link
• eno1, ens5s0f1d1, wlp9s0…
• systemd “predictable” interface naming

Network Interface Card or NIC

* or virtual

ip link

1. lo: loopback interface, packets return to my machine�
2. wlp9s0: wifi antenna�
3. enp10s0: motherboard ethernet�
4. zt0/zt1: zerotier virtual private network interface devices

MAC address

maximum transmission unit size

UP: logical interface is enabled in kernel

LOWER_UP: physical interface on, cable plugged in, L2 works

MAC Addresses and ARP

• Media Access Control
• hardware-level address that lets multiple physically-connected nodes address one another
• 48 bits, 6 octets - 00:14:22:01:23:45 / broadcast address: ff:ff:ff:ff:ff:ff
• first 3 octets are organization unique identifier (hw mfg)�
• ARP: Address Resolution Protocol
• converts L3 (logical) address to L2 (link) address
• allows interface between global routing and local routing
• kernel caches 192.168.1.1 -> 1f:32:af:01:65:db, default 60s
• on receiving a request to forward a packet to logical address with unknown phys addr, broadcast an ARP request on appropriate interface for next hop based on routing table

ARP subsystem

$ arp - look at entries in the system’s ARP table (or $ ip neigh)

useful commands: arp -e to show entries, arp -d to delete entries, arp -s to add new static entries

data actually in /proc/net/arp, /etc/ethers for static assignments

Interface Configuration

$ ip link - manage interfaces at L2

$ ip link set <iface> [up|down] - enable/disable logical interface

$ ip link [add|delete] <iface> type [type] - add/remove interfaces themselves, e.g. bridge or vlan virtual devices

static configuration (on Debian) lives in /etc/network/interfaces

/etc/network/interfaces

• auto
• activate on boot�
• iface [name] [family] [type]
• address family
• inet -> IPv4
• inet6 -> IPv6�
• config type: static, DHCP�
• Additional configuration methods like [pre|post]-up

Layer 3: logical network layer

• IP address - 192.168.1.1, 169.229.226.23
• add logical addresses to L2 interfaces
• Can have multiple logical addresses per L2 interface
• Associate logical / L2 interface through bridge device to map multiple MAC/IP pairs into single phys iface
• Use $ ip addr to see L3 information

IP Addresses

• identify devices connected an Internet Protocol network
• IPv4 (32 bit) and IPv6 (128 bit) addresses
• IPv4 addresses are written in CIDR format, delimited by a dot at each octet (byte)
• 127.0.0.1 (decimal) / 01111111.00000000.00000000.00000001 (binary)�
• Partition block of addresses into networks via masks (format: ip_address/mask)
• 169.229.226.0/24
• mask indicates number of bits to identify network
• remaining bits identify a host within the network�
• Broadcast IP 255.255.255.255 / 11111111.11111111.11111111.11111111

Managing L3 Addresses

$ ip addr [iface] - show all L3 info / on a specific iface

$ ip addr [add|del] addr/mask dev iface - add/delete an address to an interface

$ ip [-6] route - show routing table

$ ip [-6] route [add|del|replace] [default] via [address] [dev] dev -� add/remove routes to kernel routing table

CIDR walkthrough

• We have 12.4.0.1/15
• 12.4.0.0 is the network address (Network Address = IP Address & Mask)
• 15 is the mask

• Network Prefix, identifies the network that an IP address is on
• Host Bits, identifies the host within the network

• Is 12.5.4.1 in this network?
• Is 12.6.4.2 in this network?

• Yes
• No

Host Bits

Network Prefix

Dynamic Host Configuration Protocol

• DHCP - a way for devices to receive IPv4 configuration info from network itself
• IP addresses “leased” from DHCP server to prevent collision, needs to renew
• IPv6 has multiple equivalents: SLAAC, DHCPv6, etc.
• When client requests DHCP, it does an L3/L2 broadcast, and DHCP server returns:
• An IPv4 address
• Network Mask
• Address of first hop (gateway)
• Possibly, DNS servers for use in local domain

DHCP Tools

$ dhcpcd <iface> (IPv4 and IPv6)

$ dhclient [-4|-6] iface (deprecated, but still useful in specific cases)

dhcpcd starts a daemon that will attempt to renew leases, so in order to re-dhcp, the daemon needs to be restarted or reloaded

Domain Name System

• DNS: map human-friendly names to IP addresses
• DNS resolver sends DNS query to DNS server to get IP address for name
• Resolution takes place right to left, growing in specificity
• Resolve nyx.ocf.berkeley.edu.
• 13 root servers hardcoded into every machine to seed request
• query root server, returns authoritative server address for .edu. zone
• query .edu zone server, returns address of berkeley.edu zone authority
• query .berkeley.edu NS, returns address of ocf.berkeley.edu NS (ns.ocf.berkeley.edu)
• query ns.ocf.berkeley.edu for nyx.ocf.berkeley.edu, get 169.229.226.231

DNS Records

• DNS data stored in form of Resource Records (RR).
• RR are a tuple of (name, value, type, TTL)
• A records - maps hostname to IPv4 address
• name = hostname
• value = IP address
• NS records - authoritative nameserver for zone
• name = domain
• value = name of DNS server for domain

DNS Tools

$ dig <domain>

$ host <domain>

--

$ rndc reload (reload bind9 zones)

$ nscd -i hosts (flush local DNS cache)

DNS files

• /etc/hosts
• statically associate IP addresses with hostnames
• ip_address canonical_hostname [aliases]
• 31.13.70.36 www.facebook.com fb ZuccBook myspace.com
• this is where ‘localhost’ is mapped to 127.0.0.1
• /etc/resolv.conf
• configures libc DNS resolver
• one search domain, 3 nameservers, and any number of options
• nameserver <ip_address>
• domain <domain_name> vs search <domain_names>

Layer 4 - Transport

• L2 pushes physical bits across the wire, L3 abstracts bits into packets and frames�
• L4 abstracts packets and frames into ‘connections’
• TCP: connection-oriented, reliable, in-order transport
• UDP: connectionless, unreliable, not in-order transport�
• Specify which type of connection when making a socket with SOCK_STREAM (TCP) or SOCK_DGRAM (UDP)

Transmission Control Protocol

• stateful, stream oriented, ensures reliable transport
• mechanisms to guarantee that information arrives intact and in order at the destination
• 4-way handshake to start, 3-way to stop
• Reliability properties create overhead associated with TCP
• Good for usage cases where receiving all data is critical

User Datagram Protocol

• stateless, connectionless protocol
• intended for sending messages in datagrams
• no startup/termination overhead
• no guarantees about reliable transport, messages may arrive out of order, or not at all
• sometimes called Unreliable Datagram Protocol
• many use cases are ok with unreliable transport for low overhead
• e.g. streaming music and video

Ports and Sockets

• Port identifies a service endpoint on an L3 address
• Socket is an internal endpoint for traffic
• Associated with a socket address (IP address and port number) and a protocol
• A connection consists of two sockets, one on each host
• The holy 5-tuple of information: �(protocol, src_ip, src_port, dst_ip, dst_port)

/proc/net

• Network information available here as virtual files
• netstat and other tools usually provide a cleaner interface to these�
• /proc/net/dev
• Contains information on network devices and statistics like number of bytes received and transmitted�
• /proc/net/[tcp|udp|raw]
• Contains information and statistics on open system sockets
• Used by ss, netstat, etc.

/proc/sys/net

• File interface to internal kernel network configuration
• Edit files:
• echo [args] > /proc/sys/net/ipv4/ip_forward
• sysctl -p <conf_file>
• sysctl -w variable=value
• Subdirectories that can vary from system to system
• /proc/sys/net/core/
• /proc/sys/net/ipv4/
• /etc/sysctl.conf to preserve changes
• net.ipv6.conf.all.disable_ipv6=1

/proc/sys/net/core

• message_burst and message_cost
• Limits number of warning messages written to kernel log
• messsage_burst = 10, message_cost = 5 => 10 messages every 5 second
• Ideally strike a balance between granular logging and performance/storage
• netdev_max_backlog
• max number of packets allowed to queue on a particular interface
• rmem_default and rmem_max
• Receive socket buffer default and maximum size, respectively
• smem_default and smem_max
• Send socket buffer default and maximum size, respectively
• Adjusting queues/buffers is a matter of flow control vs paging

/proc/sys/net/ipv4

• icmp_echo_ignore_all
• Allows kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses
• ip_forward
• Permits interfaces on the system to forward packets
• ip_default_ttl
• Sets default TTL for outbound packets
• ip_local_port_range
• Specifies range of ports to be used by TCP or UDP when a local port is needed, e.g. ephemeral ports for outgoing connections

/proc/sys/net/ipv4

• tcp_syn_retries
• Limits the number of times the system re-transmits a SYN packet when attempting to make a connection
• tcp_retries1
• Limit on number of re-transmissions for attempting to establish a connection
• tcp_retries2
• Limit on number of re-transmissions of TCP packets�
• https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Common Tools

host(name) - get DNS info (simple)�ping - see connectivity/latency info�traceroute / mtr - see network path to dest.�arp - view L2/L3 address table�dig / drill - get more detailed DNS info�ip - base of iproute2, complete management of networking subsystems in Linux�netstat / ss - inspect active sockets on system�nc - netcat, simple TCP/UDP client/server

curl / wget - versatile L7 network interaction�iptables - stateful firewall and packet inspection, routing, forwarding (pretty complicated)�ufw - easier-to-use wrapper around iptables�tcpdump - literally dump all packets on an interface

ping

RTT = Round Trip Time

traceroute

Print the route that a packet takes to the destination

​

Details of the number of routers, i.e. 'hops', in the packet path.

How many router hops away is death from supernova? Hint: They are both on the same network (OCF)

0

mtr

https://linode.com/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/

combination of ping and traceroute, live, very useful for testing

iproute2

• ip
• Offers a LOT of functionality.. You will most commonly be using ip to display/modify routing, IP addresses, or network interfaces.
• https://access.redhat.com/sites/default/files/attachments/rh_ip_command_cheatsheet_1214_jcs_print.pdf

​

​

demo:

• ss -tulpn
• socket statistics - tcp,udp,listening,process,numeric
• tcpdump -i eno1
• dump all TCP traffic on eno1
• nc addr 1234 | nc -l 1234
• connect over TCP to port 1234 to a server listening on 1234/tcp

Iptables

• A firewall included with most Linux distributions that serves as an interface to setting up traffic filters in the kernel
• Hard to do this topic justice … will defer this to lab
• Additional information can be found at these great links from our sponsors:
• https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works
• https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubuntu-14-04
• https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
• https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
• Thanks DigitalOcean

Questions?

• Lab and checkoff form TBA:
• Basic for head start and reference
• https://decal.ocf.berkeley.edu/labs/b5