slides15 Flashcards
what does it mean that a packet contains IP addresses that, say, will be used to set up new connections?
I have no fucking clue
when do problems arise for NAT?
when a packet contains IP addresses that, say, will be used to set up new connections
Simple Service Discovery Protocol
The Simple Service Discovery Protocol (SSDP) is a network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information. It accomplishes this without assistance of server-based configuration mechanisms, such as DHCP or DNS, and without special static configuration of a network host. SSDP is the basis of the discovery protocol of Universal Plug and Play (UPnP) and is intended for use in residential or small office environments.
used for DDOS attacks
Universal Plug and Play
Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.
SSDP vulnerability
In 2014 it was discovered that SSDP was being used in DDoS attacks known as an SSDP reflection attack with amplification. Many devices, including some residential routers, have a vulnerability in the UPnP software that allows an attacker to get replies from port number 1900 to a destination address of their choice. With a botnet of thousands of devices the attackers can generate sufficient packet rates and occupy bandwidth to saturate links, causing the denial of service.[7] [8] [9]
Carrier grade NAT
NAT done in the ISP rather than by the end-user
wtf is 100.64.0.0/10
Private network Shared address space[3] for communications between a service provider and its subscribers when using a carrier-grade NAT.
FTP
The File Transfer (‘FTP) is a standard network protocol used for the transfer of computer files between a client and server on a computer network.
FTP is built on a client-server model architecture using separate control and data connections between the client and the server.[1] FTP users may authenticate themselves with a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).
nat problems
• Complexity in the gateway software
• Scalability problems in the gateway tracking large numbers
of connections
• Bad interactions with some protocols
• Difficulty of making end-to-end connections when both ends are behind a NAT gateway (e.g., Skype, SIP)
• Loss of “an IP address identifies a host uniquely” (a problem for law enforcement)
port forwarding
In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway (external network), by remapping the destination IP address and port number of the communication to an internal host.[1][2]
STUN
It provides a tool for hosts to discover the presence of a network address translator, and to discover the mapped, usually public, Internet Protocol (IP) address and port number that the NAT has allocated for the application’s User Datagram Protocol (UDP) flows to remote hosts. The protocol requires assistance from a third-party network server (STUN server)
for video/messaging/interactive applications
IPv5
meant for streaming
With the development of IPv6 happening and its promise of nearly unlimited IP addresses and a kind of fresh start for the protocol, IPv5 itself was never transitioned to public use in large part because of its 32-bit limitations.
IPv1, 2, & 3
IPv1, 2, & 3 would be part of the TCP/IP protocols, of which there were 3 versions before the IP protocol was split of of it. IPv4 is actualy the first version of the IP protocol. IPv5 is an experimental TCP/IP protocol called the Internet Stream Protocol that never really went anywhere because increases in badwith made streaming over IPv4 feasible. So IPv5 was never finalized and they skiped to IPv6.
aim of IPv6
- have a larger address space
- reduce the size of router tables
- simplify the protocol so routers can process packets faster • provide security and authentication
- pay proper attention to type of service (DS)
- have better multicasting support
- have mobile hosts with fixed IP addresses
- allow room for evolution of the protocol
- permit IPv4 and IPv6 to coexist during the transition
IPv6
4 bits. The number 6. This is identical in position to IPv4 and can be used to distinguish packets in mixed-version environments. In an Ethernet frame, IPv4 has protocol number 0800, while IPv6 is 86DD, but remember you might be using a different physical layer that does not give the type of its data
IPv6 Version
4 bits. The number 6. This is identical in position to IPv4 and can be used to distinguish packets in mixed-version environments. In an Ethernet frame, IPv4 has protocol number 0800, while IPv6 is 86DD, but remember you might be using a different physical layer that does not give the type of its data
IPv6 Traffic class
8 bits. Like TOS (DS) in v4
IPv6 Flow label
20 bits. Allows routers to recognise packets in a single flow and treat them identically. In essence a virtual circuit identifier
IPv6 Payload length
16 bits. The number of bytes following the fixed 40 byte header. Unlike v4, does not include the header in the count
IPv6 Next header
8 bits. Like the protocol field in v4, but also allows for v6 optional header fields, if any
IPv6 Hop limit
8 bits. The TTL field, renamed to make it clear how it is actually used
IPv6 Source and destination addresses
Four times as long as v4 addresses
2128 = 3 × 1038 addresses, enough for an address for every molecule on the surface of the Earth
what does fe80::21c:c0ff:fea3:99f4 translate to bitwise
:: means 0s
i. e.
fe80: 0000:0000:0000:21c:c0ff:fea3:99f4
i. e.
1111111010000000 0000000000000000 0000000000000000 0000000000000000 0000001000011100 1100000011111111 1111111010100011 1001100111110100
why is IPv6 quicker for routers
no fragmentation, routers are happy, but host is required to do path MTU discovery
why has IPv6 got flow
Packets with the same flow label can be treated identically and so sent on faster by a router
other differences with IPv4
No header length field: the header is always 40 bytes
No checksum field: there are checksums in other layers and networks are reasonably reliable. The protocol designers thought that yet another checksum would not be helpful here
Also we don’t have to recompute a checksum in every router as the TTL decreases. Again, faster
v4 has 13 fixed fields; v6 has 8; much simpler for a router to process
v6 addresses are 4 times the length, but the header is only twice as long
IPv6 fragmentation
Intermediate devices, such as routers and firewalls, cannot fragment a packet, but the source node can fragment packets. As such, end nodes and intermediate nodes must know how to properly handle fragmented packets.
There are two primary concerns when a packet is fragmented in IPv6. First, fragmentation requires the use of the fragmentation extension header. Second, like IPv4, only one fragment will contain the layer 4 header. The remaining fragments of the packet will not contain the layer 4 header
how do we switch from 4 to 6
we don’t, By design, the two protocols can run side-by-side on the same networks
what is DNS64
DNS64 describes a DNS server that when asked for a domain’s AAAA records, but only finds A records, synthesizes the AAAA records from the A records. The first part of the synthesized IPv6 address points to an IPv6/IPv4 translator and the second part embeds the IPv4 address from the A record. The translator in question is usually a NAT64 server.
what is NAT64
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits, e.g., 64:ff9b::/96 (RFC 6052, RFC 6146). The IPv6 client embeds the IPv4 address with which it wishes to communicate using these bits, and sends its packets to the resulting address. The NAT64 server then creates a NAT-mapping between the IPv6 and the IPv4 address, allowing them to communicate.[10]
IPv4 mapped addresses, HOW
These addresses hold an embedded global IPv4 address. They are used to represent the addresses of IPv4 nodes as IPv6 addresses to applications that are enabled for IPv6 and are using AF_INET6 sockets. This allows IPv6-enabled applications to always deal with IP addresses in IPv6 format regardless of whether the TCP/IP communications are occurring over IPv4 or IPv6 networks. The dual-mode TCP/IP stack performs the transformation of the IPv4-mapped addresses to and from native IPv4 format. IPv4-mapped addresses have the following format:
First 80 bits are all 0; next 16 bits are FFFF; last 32 bits are the IPv4 address.
For example:
::FFFF:129.144.52.38
464XLAT
464XLAT (RFC 6877) allows clients on IPv6-only networks to access IPv4-only Internet services, such as Skype.[12][13]
The client uses a SIIT translator (see above) to convert IPv4 packets (e.g. Skype client software) into IPv6 to send (over an IPv6-only network) to a NAT64 translator (see above) which translates them back into IPv4 to send (over an IPv4-capable network) to an IPv4-only server (e.g. Skype server). The SIIT translator (CLAT) may be implemented on the client itself (as special software) or an intermediate IPv4-capable LAN (but if it had IPv4 Internet connectivity, 464XLAT would not be needed), and the NAT64 translator (PLAT) must be able to reach both the server and the client (through the CLAT). The use of NAT64 limits connections to a client-server model using UDP, TCP, and ICMP.
