Day 38: Networking Trivia
More often than not, I realize that I need to refresh my basic networking knowledge when faced by problems in building my current architecture. This post is meant for only that reason and also to share a few enlightening insights I got to know today.
Did you know that ARP was a layer 3 protocol and not a layer 2 protocol?
If no, you have been learning the wrong thing so far. ARP is indeed a layer 3 protocol. ARP protocol serves the purpose of mapping the IP address to the device’s MAC address. Hence, it needs to know IP mapping of the systems as well. How would a layer 2 protocol possibly know about IP address and device mapping? Thus ARP protocol which resolves the mapping between IP and MAC is a layer 3 protocol.
How to build a basic network with routers, switches and hosts?
We have worked on this subject over the last few posts. If you have been following the blog, you would know that we have established the network and ran specific commands to achieve a similar network. Well, let’s analyze why we did what we did and look into if at all we were missing some important detail.
Let’s say that for a host to contact another host across subnets, we need routers. Although this statement may not be true all the time, we shall ignore the possibility where it could be false for now. To configure the subnet to subnet communication, we need to assign at-least 2 IP addresses to our router. It could be on different interfaces or on the same interface as well. Now, we need to take care of how these packets are forwarded from one IP address on the router to another IP address on a different subnet. This is the reason we have always enabled net.ipv4.ip_forward in our sysctl file. One thing we were missing in our previous setup was this:
> sudo sysctl -w net.ipv4.conf.all.send_redirects=0
The above statement becomes crucial to avoid ICMP redirects. ICMP redirects are ICMP messages that tell the hosts that another host in a different subnet is reachable even without passing through the router. If these two hosts have a physical connection surpassing the router, ICMP redirect messages would enable that as a new route. Although this would be faster in a few cases, think of the security breaches such a network would cause. The router wouldn’t even know of the packet for monitoring purposes. This is why it is always advisable to prevent ICMP redirects.
It is also a good practice to avoid accepting ICMP packets on the hosts. We have been doing this as part of our setup previously through the following command:
> sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
This is the reason why we haven’t faced the potential problem of ICMP redirection in our setup so far.
How to assign Virtual IP addresses?
Let’s consider a simple setup where a router is connected to a switch and the switch is connected to two load balancer. These two load balancers share a master-slave configuration. Thus when the master is active, it possesses the VIP and once it is down, the VIP is assigned to the slave. Consider, that the master is down and the VIP gets assigned to the slave. In this situation, the switch still keeps flooding master LB with the packets that are meant for the slave. Why? This is because the switch maintains a MAC to port mapping for each and every communicating link. Thus according to the switch, the VIP is still possessed by LB master. To update the switch MAC table, we need to send it something called a gratuitous ARP. By sending this ARP reply message, we can convey to the switch that the VIP is now possessed by the MAC address belonging to the slave LB. This is how, the entire setup can be complete. Else, the packets would just be dropped since the LB master is down. Notice that we need to send an ARP reply message, without any ARP request message. While this is useful in legitimate cases like switching load balancer, it could also be misused. ARP reply messages are a wonderful way to create Man In The Middle MITM attacks. Any other system on the network could pose as you, and communicate with others even without you knowing about it. Thus, such ARP reply messages flowing on the network are a cause of concern and most networks take care of the risks they pose.
Knowing the above important networking basics becomes very important to be in a position to analyze and work on the future aspects of the project. Yesterday, the whole day was spent in trying to fix keepalived since it was not working fine. Thus, for now I shall be sticking with assigning VIP to the active load balancers manually, followed by sending an ARP reply message. We shall look into using keepalived for automating this process, through the course of the project.
Refer to previous and next posts here.
Did you know that ARP was a layer 3 protocol and not a layer 2 protocol?
If no, you have been learning the wrong thing so far. ARP is indeed a layer 3 protocol. ARP protocol serves the purpose of mapping the IP address to the device’s MAC address. Hence, it needs to know IP mapping of the systems as well. How would a layer 2 protocol possibly know about IP address and device mapping? Thus ARP protocol which resolves the mapping between IP and MAC is a layer 3 protocol.
How to build a basic network with routers, switches and hosts?
We have worked on this subject over the last few posts. If you have been following the blog, you would know that we have established the network and ran specific commands to achieve a similar network. Well, let’s analyze why we did what we did and look into if at all we were missing some important detail.
Let’s say that for a host to contact another host across subnets, we need routers. Although this statement may not be true all the time, we shall ignore the possibility where it could be false for now. To configure the subnet to subnet communication, we need to assign at-least 2 IP addresses to our router. It could be on different interfaces or on the same interface as well. Now, we need to take care of how these packets are forwarded from one IP address on the router to another IP address on a different subnet. This is the reason we have always enabled net.ipv4.ip_forward in our sysctl file. One thing we were missing in our previous setup was this:
> sudo sysctl -w net.ipv4.conf.all.send_redirects=0
The above statement becomes crucial to avoid ICMP redirects. ICMP redirects are ICMP messages that tell the hosts that another host in a different subnet is reachable even without passing through the router. If these two hosts have a physical connection surpassing the router, ICMP redirect messages would enable that as a new route. Although this would be faster in a few cases, think of the security breaches such a network would cause. The router wouldn’t even know of the packet for monitoring purposes. This is why it is always advisable to prevent ICMP redirects.
It is also a good practice to avoid accepting ICMP packets on the hosts. We have been doing this as part of our setup previously through the following command:
> sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
This is the reason why we haven’t faced the potential problem of ICMP redirection in our setup so far.
How to assign Virtual IP addresses?
Let’s consider a simple setup where a router is connected to a switch and the switch is connected to two load balancer. These two load balancers share a master-slave configuration. Thus when the master is active, it possesses the VIP and once it is down, the VIP is assigned to the slave. Consider, that the master is down and the VIP gets assigned to the slave. In this situation, the switch still keeps flooding master LB with the packets that are meant for the slave. Why? This is because the switch maintains a MAC to port mapping for each and every communicating link. Thus according to the switch, the VIP is still possessed by LB master. To update the switch MAC table, we need to send it something called a gratuitous ARP. By sending this ARP reply message, we can convey to the switch that the VIP is now possessed by the MAC address belonging to the slave LB. This is how, the entire setup can be complete. Else, the packets would just be dropped since the LB master is down. Notice that we need to send an ARP reply message, without any ARP request message. While this is useful in legitimate cases like switching load balancer, it could also be misused. ARP reply messages are a wonderful way to create Man In The Middle MITM attacks. Any other system on the network could pose as you, and communicate with others even without you knowing about it. Thus, such ARP reply messages flowing on the network are a cause of concern and most networks take care of the risks they pose.
Knowing the above important networking basics becomes very important to be in a position to analyze and work on the future aspects of the project. Yesterday, the whole day was spent in trying to fix keepalived since it was not working fine. Thus, for now I shall be sticking with assigning VIP to the active load balancers manually, followed by sending an ARP reply message. We shall look into using keepalived for automating this process, through the course of the project.
Refer to previous and next posts here.
Source: Dr. Ram P Rustagi
Comments
Post a Comment