Tunneling Flashcards
What is tunneling?
Tunneling is encapsulating one datagram in another.
The outer packet is used for routing/switching in the underlay network, the inner packet is used in the overlay network.
Can be used at any layer
ich bin hexmex hexmeister (hexxor)
Name adv/disadv of tunneling
+ build overlay struct
+ deal with heterogeneous protocols
+ protect traffic
+ isolate customers
- more oferhead
- config effort
- much room for missconfig
What performance & security issues arise from tunneling?
Perf: - processing overhead
- smaller mtu -> possible fragmentation
Sec: - correct config & setup not trivial
- inner & outer headers require verification
- circuumvent security policies (firewalls)
What is a VPN
Tunneling protocol, usually encrypted -> secure connections between nodes
What is a vlan?
Virtual lan
Incorporated inside eth header
Tunnel endpoints are managed switches
Overlay over phy network
What are tpid, pcp, dei and vid (vlan header)
Tpid: indication that its a vlan packet
Pcp: priority code point: priorization
Dei: drop eligible indicator: can frame be dropped in case of congestion?
Vid: vlan id 1-4094
What are access and trunk ports?
Access port: tx/rx not tagged, all network connections are logically in one vlan
Trunk ports: can tx/rx traffic from mult vlans
Tagged frames are forwarded unchanged
Untagged frames are tagged using native vlan
Switch-to-switch link
Use with vlan aware hosts
What is q-in-q?
Stacked vlans - 2 headers
Use case: provider (aws)
Lower vlan: provide
Upper vlan: customer
What is the difference in consumer vs enterprise vlan switches?
Consumer: vlan for wan and one for lan, cpu only for wan
Enterprise: dedicated hw for routing and cpu for special cases
What is vxlan and what does it do?
Very large scale q-in-q.
Encapsulates into udp packets + vxlan header
What are the benefits of vxlan?
Layer 3: cna be used in lan and internet (multiplexing in layer 4)
Can use l3 routing protocols
Better multipath support
What is ipsec
It is a secure implementation of ip
What modes does ipsec offer?
Tunnel mode: subnet to subnet (via secure gateways)
Transport mode: host to host
What are the 2 phases of ipsec?
Handshake: establish SAs (security association) IKEv2
Data transfer: uses SAs to enc/sign - Encapsulated security Payload and Authentication Header
What are SPs?
Security policies which configure security associations
Can be: protect, bypass or discard
SAs are identified by security parameter indices
What does the SP database contain?
For each entry: Discard, bypass or protect Direction Selector (ip, next layer proto,packet flag) Name fqdn Ipsec mode Ipsec proto
What does the SA db contain?
Security parameter index 64 bit sequence Anti replay window Algorithm keys, IVs Lifetime Ipsec mode
Name 4 traffic selectors and 6 sa protocols
Ts: ip version, ip proto, port range or icmp code/type, ip addr range
Sa proto: ike/esp/ah Spi, size Enc algo Integrety protect algo Dh group, rand family
Explain the 5 security protocols and modes
Plain ip: ip - tcp - l7 Esp tunnel: ip - esp - ip - tcp - l7 - esp. (2x ip) Esp transport: ip - esp - tcp - l7 - esp Ah tunnel: ip - ah - ip - tcp - l7 Ah ttansport: ip - ah - tcp - l7
Name protocols for these usecases:
- l2 nw administration
- connect remote workers to company lan
- evade firewalls
L2: vlan, vxlan
Remote worker: ipsec, ssl based vpn
Firewalls: ip-over-(http, dns, icmp)
Look and learn the figure
in apple photos
