[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Disgusted with DSL -- Technical BS



On Wed, 20 Jul 2005, JohnH wrote:
> Thanks Bryan

For what?  (my tangent? ;-)

> I was not aware of hubs/switches that would act as a funnel
> for all of my computers (8-10 of them so far) to use DSL.

<anal>
Hub/switches are merely Layer-2 (IEEE802.3/Ethernet, 802.11/WLAN,
etc...) devices.  They allow direct access between systems that
are part of the same, physical Layer-2 network.  That's why we
call an 6-byte IEEE 802 MAC (Media Access Control) address a
"physical address."

External networks communicate over Layer-3 networks, such as the
Internet Protocol (IP),  Most of these use 4-byte IPv4 "logical
addresses."
</anal>

Don't be confused by the fact that some Layer-3 one-to-many NAT
(NAT/PAT**) 'Ritters also include Layer-2 (e.g., Ethernet, WLAN)
hubs/switches/bridges inside.  NAT/PAT is clearly a layer-3
IP-level operation (actually, PAT is layer-4** -- e.g., TCP
transport to port 80, HTTP aka "Web").

**NOTE:  

Network Address Translation (NAT) translates one Layer-3 IP
Address to another.  Port Address Translation (PAT) translates
one Layer-4 Transport port to another.  There are 3 types of NAT:
- One-to-one NAT (NAT-only)
- Many-to-one*1* NAT aka "Source NAT (SNAT)" (NAT+PAT)
- One-to-many*1* NAT aka "Destination NAT (DNAT)" (NAT+PAT)

*1* NOTE:  Sometimes people flip the terms.  I'm not actually
sure wish is correct.

True One-to-one NAT is used in some enterprises.  It's just
translating one Layer-3 IP address to another, the Layer-4 ports
are unchanged.  E.g., two enterprise that are merging want to
either hide their true IP addresses or, more often, are using the
same IP address space (e.g., 10.x.x.x).  They will use NAT to
appear as different IPs on the other side.

Many-to-one NAT is commonly used in 'Ritters and even most real
Routers.  It is called Source NAT (SNAT) because it takes many
private Layer-3 IP addresses and makes the appear as one.  It
does this by translating Layer-4 Transport port (e.g., TCP
transport port 80, HTTP aka "Web") so each is unique from each
private address.  That's why PAT is required, to keep the port
communications unique.  What port the SNAT device sends a
communication and receives back is typically not the same as the
internal device.

One-to-Many NAT, Destination NAT (DNAT), does the opposite.  It
allows you to target a single IP, but the DNAT device can send it
to another system -- typically a server in a segmented
de-militarized zone (DMZ) from your LAN (so any DMZ
infested/compromised server won't infest your LAN).  Once again,
PAT is typically used.  Even if the destination port is the same
for both the DNAT and the DMZ server (e.g., port 80), since the
DMZ server sees all requests coming from the DNAT device, it has
to use different source ports -- which will differ from the
original Internet requestor.


"L. V. Lammert" <lvl@omnitec.net> wrote:
> Not exactly a funnel - the router is tecnhnically the 'funnel'.

Sort of.

A NAT/PAT device completely translates the Layer-3/4 part of the
packet/transport (e.g., IP packet, TCP transport) -- the internal
address/port with the external address/port.

A "real" router (not doing NAT/PAT) replaces the Layer-2 part of
the frame (e.g., Ethernet frame) with the "next hop."  E.g.,
internally the Layer-2 part is a 6-byte MAC address.  Externally
(over a non-local communications line) the Layer-2 part is
typically a Frame Relay (T carrier or fraction) or Cell Relay
(e.g., DS carrier and/or ATM) virtual circuit (VC).  If you look
at your DSL, you'll typically see VCI/VPI addresses.

Ethernet and WLAN are Broadcast Medium Access (BMA), meaning all
nodes broadcast to all others on the physical Layer-2 devices. 
You can do this on a LAN, hence why hubs, switches, etc... are
"plug'n play."  Frame and Cell Relay are Non-Broadcast Medium
Access (NBMA), and you need to establish VCs.  This is because
there are typically thousands of connections, and you can't have
all nodes broadcasting to all others.  In the case of Internet
access, you typically just want to reach the router at the ISP,
so a VC is setup for it (and you don't directly communicate with
the other nodes, like your neighbors).

[ NOTE:  Now you understand what they mean by a "Frame Relay
Cloud."  It is a cloud of numerous connections, and you create
VCs as you need to access other connections.  On Ethernet, it is
more localized, controlled and trusted (especially with today's
switches).  In Frame/Cell, we won't trust other nodes to "do the
right thing," so we don't let them broadcast or connect to others
without establishing a VC. ]

> The Linux box (or other DHCP provider - many times also the 
> router) will issue IP addresses to any machines on the local 
> subnet,

Understand DHCP (based on BootP) is a Reverse Address Resolution
Protocol (RARP) request.  It says, "Hey, I'm Layer-2 MAC address
XX:YY:ZZ:AA:BB:CC, what's my Layer-3 IP address?  It must be done
on the same, physical Layer-2 network (like Ethernet, WLAN,
etc...), since Layer-2 is not routed (to other networks, such as
over Layer-3, until it has an IP address -- chicken/egg issue).

When systems are on the same Layer-2 network and want to
communicate, but don't know each other's MAC address, they use
Address Resolution Protocol (ARP).  It says, "Hey, who is Layer-3
IP Address II.JJ.KK.LL, what's his Layer-2 MAC Address?"  On a
simple network, typically the node with that IP address hear's it
and responds back.

Depending on routing tables, what type of router switches
(layer-3 switches -- i.e., layer-2 switching with an intelligence
that lets different layer-3 networks talk directly, long story),
etc..., a switch, router, etc... might actually service it.  In
most cases, systems use a "default route" and if they know the IP
address isn't local (by using the Layer-3 IP Address
--logical-and-- Layer-3 Subnet Mask), they ARP request the
Router's IP so it knows what Layer-2 MAC Address (the router's)
to reach the Layer-3 Ip Network.

On a complex network, there will be multiple internal and
external IP subnets, so a simplistic "default route" will _not_
work.  'Ritters don't work there.  That's why you need a "real
router."  Which is my #1 complaint with SMBs who believe these
'Ritters are "routers" because of the marketing non-sense. 
_Real_ routers tell nodes all the different routes available, not
just a "default route" through the 'Ritter box.

> the NAT service on the router translates *all* internal IPs to
> the external IP of the router.

Yep

> There is no physical limit to the internal computers, only
> sanity and the amount of bandwidth available.

<anal>
Actually there _are_ limits.

Most Layer-2 Switches only have a MAC table that stores 1,024 -
8,192 nodes.  That means from one end of your Layer-2
hubs/switches to another, you can only have 1,024 - 8,192
computers.  You have to be careful with old "desktop switches"
(circa mid-to-late '90s) that have only 1 MAC per port.

If you use 802.1d** Spanning Tree, you can only have 7 Layer-2
hops.  This has bit so many companies in the butt (literally
millions of dollars in downtime until they found the problem),
and the #1 reason why people like me will come scream at you if
you dangle a little switch onto my enterprise network.  Because
you can take down the entire network, or a good portion of it. 
;->
(Of course, a good routing / layer-3 switching design can segment
802.1d problems. ;-)

[ **NOTE:  802.1 is the Link Control, LLC, of IEEE 802 -- the
"upper" part of Layer-2.  802.2+ is the Media Access Control,
MAC, of 802 -- the "lower" part of Layer-2.  LLC talks to higher
levels, MAC talks to the lower (Layer-1 Physical Wire/Optic. 
E.g., you can use the 802.1x LLC to prevent any association on
Ethernet or, more importantly for new WLAN security, association
to an access point (or through it). ]

> The discussion was more about providing some sort of *security*
> to the internal network (i.e. IPCop).

Firewalls, even Stateful Packet Inspection (SPI) is _not_ enough.
 over 99.9% of compromises today are _client_ instigated -- e.g.,
Internet Explorer, ActiveX, Javascript, etc...  This is largely
because these are "deny all incoming, allow all outgoing" SPI
Firewalls.  A "deny all outgoing, except X, Y, Z" is difficult
for SOHOs to implement, and even SMBs.

Which is why Intrusion Detection Systems (IDS) are most
important.  They mitigate risk because you can at least be
identified when a node is compromised on your network, without
having to "lock it all down" -- important in a SOHO.  IPCop comes
with good, aggregate logging capabilities, including the Snort
IDS.  With 15 minutes of impromptu training, I can teach SOHOs
how to mitigate 95% of risks by spending no more than 1-5
minutes/day checking IPCop's logs.

E.g., typically it starts with a few phone calls the first few
times as they get a "feel" of what they are looking for.  Then
they learn what to look for and what is not an issue.  If there
is ever an issue with a internal system, I have them pull the
plug until I arrive.  There is _nothing_ more dangerous to be
compromised and not know about it.  Just ask Valve (not only the
Half-Life II code theft, but their liability of the theft of MS
and idSoftware's toolkits!).

1-5 minutes/day for 95% mitigation is the "best balance" I can
come up with.  People constantly berrate me for suggesting SOHOs
check their firewall logs ("they are not smart enough"), but with
IPCop and its Snort IDS, it's just a matter of checking 10-20
events/day -- typically once mid-morning, or once mid-afternoon. 
I basically have 2 people volunteer and the "reminder" is "the
first time you use the bathroom in the morning" and "when you use
the bathroom after lunch."

You'd be surprised how many times we've caught some _nasty_
spyware _before_ anything happened.  1-5 minutes/day for 95% risk
mitigation with people who are _not_ IT experts by any means.

> Makes no difference really - as long as each machine properly
> requests DHCP information (including default gateway (the 
> router) and DNS servers).

-- Bryan J. Smith, CCDP** (not that it matters)

**In case you didn't know (because people ask "how's that differ
from the CCNA") ...

Cisco Certified Design Professional (CCDP)
  1-exam CCNA (Network Associate)
+ 1-exam CCDA (Design Associate)
+ 1-exam Layer-2 BMA (Switching)
+ 1-exam Layer-3 Routing
+ 1-exam Layer-2 NMBA (Remote Access)
+ 1-exam Design
= 6-exams

The "Associate" levels are designed for "intro" to all
technologies (e.g., you get a little of all Layer-2/3 in the
CCxA's).  The "Professional" levels focus in the technical
details of each (separate BMA, Routing, NMBA exams), plus one
"Troubleshooting" (CCNP, Network Professional) or "Design" (CCDP,
Design Professional).


-- 
Bryan J. Smith                 mailto:b.j.smith@ieee.org
Sent from Yahoo Mail (please excuse any missing headers)

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.