Tunneling

Question 1

What is tunneling?

Answer 1

Tunneling is encapsulating one datagram in another.
The outer packet is used for routing/switching in the underlay network, the inner packet is used in the overlay network.
Can be used at any layer

ich bin hexmex hexmeister (hexxor)

Question 2

Name adv/disadv of tunneling

Answer 2

+ build overlay struct
+ deal with heterogeneous protocols
+ protect traffic
+ isolate customers

• more oferhead
• config effort
• much room for missconfig

Question 3

What performance & security issues arise from tunneling?

Answer 3

Perf: - processing overhead
- smaller mtu -> possible fragmentation

Sec: - correct config & setup not trivial

• inner & outer headers require verification
• circuumvent security policies (firewalls)

Question 4

What is a VPN

Answer 4

Tunneling protocol, usually encrypted -> secure connections between nodes

Question 5

What is a vlan?

Answer 5

Virtual lan
Incorporated inside eth header
Tunnel endpoints are managed switches
Overlay over phy network

Question 6

What are tpid, pcp, dei and vid (vlan header)

Answer 6

Tpid: indication that its a vlan packet
Pcp: priority code point: priorization
Dei: drop eligible indicator: can frame be dropped in case of congestion?
Vid: vlan id 1-4094

Question 7

What are access and trunk ports?

Answer 7

Access port: tx/rx not tagged, all network connections are logically in one vlan

Trunk ports: can tx/rx traffic from mult vlans
Tagged frames are forwarded unchanged
Untagged frames are tagged using native vlan
Switch-to-switch link
Use with vlan aware hosts

Question 8

What is q-in-q?

Answer 8

Stacked vlans - 2 headers

Use case: provider (aws)
Lower vlan: provide
Upper vlan: customer

Question 9

What is the difference in consumer vs enterprise vlan switches?

Answer 9

Consumer: vlan for wan and one for lan, cpu only for wan

Enterprise: dedicated hw for routing and cpu for special cases

Question 10

What is vxlan and what does it do?

Answer 10

Very large scale q-in-q.

Encapsulates into udp packets + vxlan header

Question 11

What are the benefits of vxlan?

Answer 11

Layer 3: cna be used in lan and internet (multiplexing in layer 4)
Can use l3 routing protocols
Better multipath support

Question 12

What is ipsec

Answer 12

It is a secure implementation of ip

Question 13

What modes does ipsec offer?

Answer 13

Tunnel mode: subnet to subnet (via secure gateways)

Transport mode: host to host

Question 14

What are the 2 phases of ipsec?

Answer 14

Handshake: establish SAs (security association) IKEv2

Data transfer: uses SAs to enc/sign - Encapsulated security Payload and Authentication Header

Question 15

What are SPs?

Answer 15

Security policies which configure security associations

Can be: protect, bypass or discard
SAs are identified by security parameter indices

Question 16

What does the SP database contain?

Answer 16

For each entry:
Discard, bypass or protect
Direction
Selector (ip, next layer proto,packet flag)
Name fqdn
Ipsec mode
Ipsec proto

Question 17

What does the SA db contain?

Answer 17

Security parameter index
64 bit sequence 
Anti replay window
Algorithm keys, IVs
Lifetime 
Ipsec mode

Question 18

Name 4 traffic selectors and 6 sa protocols

Answer 18

Ts: ip version, ip proto, port range or icmp code/type, ip addr range

Sa proto: ike/esp/ah
Spi, size
Enc algo
Integrety protect algo
Dh group, rand family

Question 19

Explain the 5 security protocols and modes

Answer 19

Plain ip: ip - tcp - l7
Esp tunnel: ip - esp - ip - tcp - l7 - esp. (2x ip)
Esp transport: ip - esp - tcp - l7 - esp
Ah tunnel: ip - ah - ip - tcp - l7
Ah ttansport: ip - ah - tcp - l7

Question 20

Name protocols for these usecases:

• l2 nw administration
• connect remote workers to company lan
• evade firewalls

Answer 20

L2: vlan, vxlan
Remote worker: ipsec, ssl based vpn
Firewalls: ip-over-(http, dns, icmp)

Question 21

Look and learn the figure

Answer 21

in apple photos