Networking 102

UNIX SysAdmin DeCal Spring 2018

Tony Situ
Overview
● Models of Networks
● Addressing
● Configuration Files
● Network protocols
● Sysadmin Tools
OSI Model
● Conceptual Model of Networking Systems
● Concept of Layers of Abstraction
○ Same level layers communicate with one another
○ A layer serves the one above it and
is served by the one below it
● A grain of salt: this is a MODEL
○ Conceptual doesn’t equate reality
○ There are many networking models
■ (TCP/IP)
● Packet Path
○ Sending : “top down” i.e. high to low
○ Receiving: “bottom up” i.e. low to high
Layers Overview
1. Application Layer (L7)
a. Application Layer specifies protocols between hosts
b. HTTP, SSH, FTP
2. Presentation Layer (L6) and Session Layer (L5)
a. Not as important ...
3. Transport Layer (L4)
a. Provide host-to-host communication for services running on a machine
b. TCP (connection-oriented) and UDP(connection-less) are examples
c. L4 can provide reliable transport
i. packet loss generates notifications, will ensure all data arrives
ii. TCP provides reliable transport; UDP doesn’t
Layers Overview Continued
1. Network Layer (L3)
a. Primary protocol: IP (also ICMP, IGMP, etc.)
b. Deals with global packet forwarding and routing through intermediate routers.
c. Delivers data between hosts; no reliability guarantee
2. Data Link Layer (L2)
a. Transfers data between physically-connected nodes in a wide area network (WAN) or
a local area network (LAN).
i. WANs can be geographically separate but LANs are typically physically close
b. MAC addresses
3. Physical Layer (L1)
a. This layer deals with the physical transmission of the data such as passing electrical
signals over a fiber optic cable or radio frequencies for wireless.
Network Interfaces and NICs
● A Network Interface Card is a piece of hardware that
allows your computer to connect to a network
● A network interface is a point of connection between a
computer and a network
● Network interfaces can correspond to physical NICs or
be entirely implemented in software i.e. the loopback
interface
● Configuration are stored in:
/etc/network/interfaces
Interface Configuration and Management
● Configuration stored in /etc/network/interfaces
○ Defines how interfaces should be configured, e.g. address assignment
○ Changes to this file are reloaded via a call to ifupdown
○ man interfaces
● ifupdown
○ ifup and ifdown
■ ifquery
● Words of Caution
○ Conflicts with other tools i.e. ifconfig
○ /run/network/ifstate (contains the ifaces that ifupdown can configure)
/etc/network/interfaces
● auto
○ Brings up this interface
on boot
● 'iface'
○ physical iface name
○ address family
■ inet -> IPv4
■ inet6 -> IPv6
● families have methods
○ static
○ dhcp
■ methods have
options
● Additional configuration
methods like [pre|post]-up
Example output
How many interfaces are there and what are their names?
ip a
2, lo (loopback), eth0 (ethernet)
MAC Addresses
● Media access control (MAC) addresses are
48-bit globally unique identifiers assigned to
network interfaces
● Referred to as the physical address
● Usually written in colon-delimited
hexadecimal octets
● An example MAC address is
00:14:22:01:23:45
● the first 3 octets refer to the Organizationally
Unique Identifier (OUI), e.g. Dell, HP, etc.
● Broadcast MAC
○ ff:ff:ff:ff:ff:ff
Arp
● Address resolution protocol (ARP) is a means of translating IP addresses into
MAC addresses
● Devices maintain their own ARP cache which stores which (IP : MAC) pairings.
● If an IP isn’t in the cache, the device broadcasts an ARP request
○ Since this is broadcast, the message is sent to all hosts on the local network
○ This is essentially a message that asks “who has IP x.x.x.x tell machine A ” and
machine A would attach its MAC and IP address so the owner knows who to
send the message to
● Owner of that IP address responds with an ARP reply
○ Essentially says “B has IP x.x.x.x and this is my MAC/IP”
ARP files
● /proc/net/arp
○ read-only file where kernel dumps arp cache information
○ the arp command issues reads for this file
● /etc/ethers
○ file to persist static arp entries
○ $ arp -f [filename] (default is /etc/ethers)
○ need to execute command - How can we "automate" this configuration step?
■ Hint: maybe we can add this as a tail to another configuration …
Example Output
arp -a

What is the MAC address for 00:0a:f5:8c:8a:44

169.229.226.185?

What two layers does ARP bridge? L2 (MAC) and L3 (IP)

IP Addresses
● IP addresses are identify devices connected to a network under Internet Protocol.
● Two versions: IPv4 and IPv6
● IPv4 addresses are 32 bits (4 bytes) long and written in CIDR format, delimited by a dot at
every byte.
○ 127.0.0.1
○ 01111111.00000000.00000000.00000001
● We can partition a block of addresses into a “network”
○ 127.0.0.0/8
● Format is <ip_address>/<mask>
○ The mask represents how many bits are in the network address, the remaining bits
identify a host within the network.
○ Combination of IP address and netmask = CIDR format
● Broadcast IP 255.255.255.255
CIDR walkthrough
● We have 12.4.0.1/15
● 12.4.0.0 is the network address (Network Address = IP Address & Mask)
● 15 is the mask

Network Prefix Host Bits

● Network Prefix, identifies the network that an IP address is on
● Host Bits, identifies the host within the network
● Is 12.5.4.1 in this network? ● Yes
● Is 12.6.4.2 in this network? ● No
DNS
● Domain Name System (DNS) is a means of mapping domain names to IP
addresses
● When you query for a domain name, your computer tries to resolve it into an IP
address
● This usually involves sending out a DNS query to a DNS name server
○ The nameserver breaks down the domain name from right to left and issues
queries that grow in specificity
○ Let's take inst.eecs.berkeley.edu for example
○ nameserver will query the root server to find the nameserver for the
corresponding Top Level Domain (TLD), which is .edu in this case
○ TLD points to another nameserver which would be authoritative over the
next subdomain i.e. berkeley
DNS Records
● DNS servers store data in the form of Resource Records (RR).
● Resource records are essentially a tuple of (name, value, type, TTL)
● A records
○ Maps hostname to IP address
○ name = hostname
○ value = IP address
● NS records
○ Refers query to authoritative nameserver
○ name = domain
○ value = name of dns server for domain
Example Output
dig <domain_name>

What is the domain name being

looked up and its corresponding
address?

inst.eecs.berkeley.edu at
128.32.42.199
DNS files
● /etc/hosts
○ Simple text file that associates IP addresses with hostnames
○ ip_address canonical_hostname [aliases]
○ 31.13.70.36 www.facebook.com fb ZuccBook myspace.com
○ A common entry that you’re probably familiar with is … Hint: think about loopback
● /etc/resolv.conf
○ Configuration file for system resolver, recall that the resolver communicates with DNS
nameservers
○ One domain or search, 3 nameservers, and any number of options
○ nameserver <ip_address>
○ domain <domain_name> vs search <domain_names>
○ Options (a variety)
■ timeout:<n>
■ attempts:<n>
Files continued
● /etc/nsswitch.conf
○ Determine sources to get service information from and in what order.
○ Used for a variety of service like hostnames, password files, and group files.
○ Information categories are referred to as “databases”
○ <database> [source action]
■ hosts dns files
○ ethers (/etc/ethers) and networks (/etc/networks) are also here but are
artifacts of the past
DHCP
● Dynamic Host Configuration Protocol (DHCP) is one way a
device receives a IP addresses alongside other config information
● Leased IP addresses are valid for a time specified by the DHCP
server
● Once expired, the client must acquire a new IP address lease
○ The client does have the option to renew a previous lease so
that it can retain a previous IP address
● 4 stage process
1. DISCOVERY - BROADCAST
2. OFFER - BROADCAST OR UNICAST
3. REQUEST - BROADCAST (if multiple DHCP servers), can
be unicast
4. ACKNOWLEDGE - BROADCAST OR UNICAST
/etc/dhcp/dhclient.conf
● Configuration file for dhclient
○ Lines end in semicolons
● Timing
○ timeout
○ retry
● static lease:
○ If DHCP server can’t be contacted then loop through database of old leases then consult static
leases that can be defined in the dhclient.conf file
● Interface configuration
○ Interface “name” {
[declarations;]
}
Transmission Control Protocol (TCP)
● TCP is a stateful stream oriented protocol
that ensures reliable transport
● Also has mechanisms to guarantee that
information arrives intact and in order at the
destination
● To set up a TCP connection you have to go
through the TCP handshake
● Also has a connection close procedure
● Both of the above are overhead associated
with TCP
● Good for usage cases where receiving all data
is critical
User Datagram Protocol (UDP)
● UDP is stateless connectionless protocol
○ UDP focuses on sending messages in datagrams
● Being stateless UDP also doesn't incur the overhead of the TCP
handshake and termination
● UDP also makes no guarantees about reliable transport so messages may
arrive out of order, or not arrive at all.
○ UDP is sometimes called Unreliable Datagram Protocol
● For use cases that don’t need reliable transport
○ Marginal performance increase since we avoid connection overhead
Ports and Sockets
● A port is an identifier defining a service endpoint.
● A socket is an internal endpoint for traffic.
○ Associated with a socket address, typically an IP address
and a port number.
○ Also consists of a protocol
● A connection consists of two sockets
○ Essentially a 5-tuple of information [protocol, local IP,
local port, remote IP, remote port]
/proc/net
● Network information available here as virtual files
○ netstat and other tools usually provide a cleaner interface and leverage these files
● /proc/net/dev
○ Contains information on network devices and statistics like number of bytes
received and transmitted
○ Read by ifconfig
● /proc/net/[tcp|udp|raw]
○ Contains information and statistics on open system sockets
○ Used by ss, netstat, etc.
● /proc/net/route
○ Contains routing table information
● /proc/net/arp
● /proc/net/snmp
○ Contains statistics intended to be used by snmp agents
○ https://elixir.bootlin.com/linux/v4.4/source/include/net/snmp.h
/proc/sys/net
● Contains writable files that allow a sysadmin to modify network
configurations
● Editing these files:
○ echo [args] > /proc/sys/net/ipv4/ip_forward
○ sysctl -p <conf_file>
○ sysctl -w variable=value
● Subdirectories that can vary from system to system
○ /proc/sys/net/core/
○ /proc/sys/net/ipv4/
● /etc/systctl.conf to preserve changes
○ variable=value
○ net.ipv4.forward=1
/proc/sys/net/core
● message_burst and message_cost
○ Limits number of warning messages written to kernel log
○ messsage_burst = 10, message_cost = 5 => 10 messages every 5 second
○ Ideally strike a balance between granular logging and
performance/storage
● netdev_max_backlog
○ max number of packets allowed to queue on a particular interface
● rmem_default and rmem_max
○ Receive socket buffer default and maximum size, respectively
● smem_default and smem_max
○ Send socket buffer default and maximum size, respectively
● Adjusting queues/buffers is a matter of flow control vs paging
/proc/sys/net/ipv4
● icmp_echo_ignore_all
○ Allows kernel to ignore ICMP ECHO packets from every host or only those
originating from broadcast and multicast addresses
● ip_forward
○ Permits interfaces on the system to forward packets
● ip_default_ttl
○ Sets default TTL for outbound packets
● ip_local_port_range
○ Specifies range of ports to be used by TCP or UDP when a local port is
needed, e.g. ephemeral ports for outgoing connections
/proc/sys/net/ipv4
● tcp_syn_retries
○ Limits the number of times the system re-transmits a SYN packet when
attempting to make a connection
● tcp_retries1
○ Limit on number of re-transmissions for attempting to establish a connection
● tcp_retries2
○ Limit on number of re-transmissions of TCP packets

● https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Sysadmin Commands
● host(name)
● ping
● traceroute
● mtr
● arp
● dig
● ip
● netstat
● nc
● curl
● wget
● iptables
host(name)
● Used to either set or display the current host, domain or node
name of the system
● Lookup utility for hosts and addresses
ping
Send packets to a server; good for getting metrics and testing connectivity

RTT = Round
Trip Time
traceroute
Print the route that a packet takes to the destination

Details of the number of routers, i.e. 'hops', in the packet path.

How many router hops away is death from supernova? Hint: They are both on the
same network (OCF)
0
mtr
Combination of traceroute and ping

Great primer here:

https://linode.com/docs/networking/diagnostics/diagnosing-network-issues-with-mtr/
The rest
● netstat
○ This tool is good for printing network connections, routing tables,
and probing sockets, amongst other functions.
● tcpdump
○ Perfect for monitoring incoming or outgoing traffic on a machine.
● nc
○ 'netcat'
○ A very powerful tool that can be used for just about anything
involving TCP or UDP.
The rest
● ip
○ Offers a LOT of functionality.. You will most commonly be using ip to
display/modify routing, IP addresses, or network interfaces.
○ https://access.redhat.com/sites/default/files/attachments/rh_ip_command_che
atsheet_1214_jcs_print.pdf
ip a
ip route
● ip route [show]

● ip route add
○ ip route add default via <ip>
○ ip route add <dest> [via <ip> | dev <device>]
● ip route del
● ip route change
The rest
● wget/curl
○ Similar tools used to transfer data from or to a server with certain
protocols like HTTP, FTP, etc …
● GOOGLE and MAN pages are your friends -- use them!
Iptables
● A firewall included with most Linux distributions that serves as an interface to
setting up traffic filters in the kernel
● Hard to do this topic justice … will defer this to lab
● Additional information can be found at these great links from our sponsors:
○ https://www.digitalocean.com/community/tutorials/how-the-iptables-firewall-works
○ https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-iptables-on-ubun
tu-14-04
○ https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-c
ommands
○ https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
● Thanks DigitalOcean
Questions?
● Lab and checkoff form TBA:
○ Basic for head start and reference
■ https://decal.ocf.berkeley.edu/labs/b5