ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Leftovers: Leftovers: MPLS, Multicast, MPLS, Multicast, Gateways and Firewalls, Gateways and Firewalls, VPNs VPNs Jean- -Yves Le Boudec Yves Le Boudec Jean Fall 2009 Fall 2009 1
Part 1: Firewalls TCP/IP architecture separates hosts and routers network = packet transportation only private networks may want more protection “access control” one component is a firewall definition: a firewall is a system that separates Internet from intranet: all traffic must go through firewall only authorized traffic may go through firewall itself cannot be penetrated Components of a firewall filtering router application or transport gateway 2
Filtering Routers A router sees all packets and may do more than packet forwarding as defined by IP filtering rules based on : port numbers, protocol type, control bits in TCP header (SYN packets) Example Internet intranet filtering router prot srce addr dest addr srce dest action port port 1 tcp * 198.87.9.2 >1023 23 permit 2 tcp * 198.87.9.3 >1023 25 permit 3 tcp 129.132.100.7 198.87.9.2 >1023 119 permit 4 * * * * * deny 3
The example show 4 rules applied to the ports shown - rule 1 allows telnet connections from the outside to the machine 198.87.9.2 - rule 2 allows email to be sent to machine 198.87.9.3 - rule 3 allows news to be sent to machine 198.87.9.2, but only from machine 129.132.100.7 - rule 4 forbids all other packets. Designing the set of rules employed in a firewall is a complex task; the set shown on the picture is much simpler than a real configuration. Packet filtering alone offers little protection because it is difficult to design a safe set of rules and at the same time offer full service to the intranet users. 4
Application Layer Gateways Application layer gateway is a layer 7 intermediate system normally not used according to the TCP/IP architecture but mainly used for access control also used for interworking issues Principle: proxy principle: viewed by client as a server and by server as a client supports access control restrictions, authentication, encryption, etc B 2 GET xxx.. 1 GET xxx.. A HTTP HTTP gateway HTTP HTTP client server logic client server 4 data 3 data TCP/IP TCP/IP TCP/IP Internet intranet HTTP Gateway 5
1. User at A sends an HTTP request. It is not sent to the final destination but to the application layer gateway. This results from the configuration at the client. 2. The gateway checks whether the transaction is authorized. Encryption may be performed. Then the HTTP request is issued again from the gateway to B as though it would be originating from A. 3. A response comes from B, probably under the form of a MIME header and data. The gateway may also check the data, possibly decrypt, or reject the data. 4. If it accepts to pass it further, it is sent to A as though it would be coming from B. Application layer gateways can be made for all application level protocols. They can be used for access control, but also for interworking, for example between IPv4 and IPv6. 6
Transport Gateway Similar to application gateways but at the level of TCP connections independent of application code requires client software to be aware of the gateway Transport Gateway (SOCKS Server) A :1080 SYN SYN ACK 1 ACK B connection relay request to B :80 :80 SYN 3 2 SYN ACK OK ACK data relay 4 1 GET xxx.. data 7
The transport gateway is a layer 4 intermediate system. The example shows the SOCKS gateways. SOKCS is a standard being defined by the IETF. 1. A opens a TCP connection to the gateway. The destination port is the well known SOCKS server port 1080. 2. A requests from the SOCKS server the opening of a TCP connection to B. A indicates the destination port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection request. 3. The SOCKS server opens a new TCP connection to B, port 80. A is informed that the connection is opened with success. 4. Data between A and B is relayed at the SOCKS server transparently. However, there are two distinct TCP connections with their own, distinct ack and sequence numbers. Compared to an application layer gateway, the SOCKS server is simpler because it is not involved in application layer data units; after the connection setup phase, it acts on a packet by packet level. Its performance is thus higher. However, it requires the client side to be aware of the gateway: it is not transparent. Netscape and Microsoft browsers support SOCKS gateways. 8
Typical Firewalls Designs An application / transport gateway alone can be used as firewall if it is the only border between two networks intranet Internet Firewall = one dual homed gateway A more general design is one or more gateways isolated by filtering routers intranet Internet R1 R2 Firewall = gateways + sacrificial subnet 9
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Part 2: Part 2: Connection Oriented Networking Connection Oriented Networking MPLS and ATM MPLS and ATM 10
Contents 1. Connection Oriented network layer. ATM 2 .MPLS (Multi Protocol Label Switching) 11
1. Frame Relay, ATM There exists a family of data networks which is very different from IP : carrier data networks Frame Relay, ATM, X.25 They use the Connection Oriented Network Layer They were designed to be an alternative to IP Failed in this goal Used today as “super Ethernet” in IP backbones or at interconnection points Being replaced by MPLS 12
Connection Oriented Network Layer : Frame Relay, ATM, X.25 input 3 3 input 1 1 input 1 conn Id 1 2 conn Id 1 2 conn Id 1 output 2 2 output 4 3 output 2 conn Id 1 2 conn Id 1 1 conn Id 1 Host C Host A 3 2 1 3 1 2 Switch Switch Switch S1 S2 S4 4 2 1 2 Host B Switch S3 13
Connection oriented = similar to telephone. Connections are also called virtual circuits . The connection oriented network layer uses connections that are known and controlled in all intermediate systems. Every packet carries a connection identifier which is either global (SNA) or local to a link (X.25, Frame Relay, ATM). The packet forwarding function is simple, based on table lookup. The control method involves connection setup and release(building tables) connection routing Connection oriented networks usually implement some mechanisms to control the amount of data sent on one connection, thus limiting losses due to statistical multiplexing. Methods for that are: sliding window protocol, similar to that of TCP (X.25, SNA), and rate control (Frame Relay , ATM). Connection oriented networks give better control over individual traffic flows and are thus used in public networks where tariffing is a key issue (X.25, Frame Relay). IBM network architectures are also connection oriented (SNA, APPN). ATM is a connection oriented network where emphasis is put on supporting both statistical multiplexing and non- statistical multiplexing. ATM packets have a small, fixed size and are called cells . 14
ATM ATM is a connection oriented network architecture ATM packets (called cells ) are small and fixed size (48 bytes of data + 5 bytes of header) high performance at low cost designed for very low delay And for hrdware implementation of switching functions The ATM connection identifier is called VPI/VCI (Virtual Path Identifier/Virtual Channel Identifier) Frame relay is the same but with packets of variable size (up to 1500 B payload) 15
ATM VPI/VCI switching in VPI/VCI out VPI/VCI 1 27 2 44 1 19 16 38 ATM cells header contains VPI/VCI 19 27 1 1 44 2 38 16 16 16
ATM Adaption Layer variable length packet AAL5 AAL5 AAL5 AAL5 in ATM adapter in ATM adapter in ATM adapter in ATM adapter ATM switches cells ATM can transport packets of size up to 64 KB ATM Adaptation Layer segments and re-assembles in ATM end points only 17
IP over ATM: Classical IP H1 H2 classical IP uses ATM as a fast Ethernet 2. VCC ATMARP finds ATM address ATM Router Router Like a telephone 1. Address number, similar to IPv6 Resolution address --- not a S VPI/VCI ARP Server (Address Resolution) InARP finds VPI/VCI An ATMARP server is used: -H1 connects to S at boot time, by calling the ATM address of the ATMARP server - with InARP, S and H1 identify their IP addresses - when H1 has to send an IP packet to H2, it must find the ATM address of H2. H1 sends an ATMARP request to S. S responds with the ATM address of H2. H1 calls H2. When an ATM connection is established, InARP is used to confirm the IP addresses. 18
Why ATM ? Simplifies routing in large networks IP needs very large routing tables in the core network for every packet look up more that 100 000 entries forwarding from the ISP point of view - just find the egress router IP routing may ignore the real physical topology ISP can put a router on the edge and use ATM/Frame Relay Virtual Path, switches in the middle edge router selects the path based on the destination address route look up done only once in the ISP network but still scalability problems Quality of Service ATM can natively provide guaranteed service (allocate different rates to different ATM connections) Used to share infrastructure (several operators or one network – virtual providers) Also used to multiplex many users on an access network (cable, wireless) 19
Recommend
More recommend