Category: Networking

What is the difference between tunnel | transport mode in IPsec

Intro

IPsec makes VPN connection possible. I enables to simulate a leased line across public Internet and thus enable us to get secure connection across unsecured environment. It enables encryption, authentication and protection of our data when sent across insecurity of the world’s biggest internetwork – Internet.

It’s the cheap way to simulate a leased line, the way to send private data across the public network without compromising privacy. The goal of IPsec is to secure services and lower the cost of data transfer. Try to compare it to pricing of data transfers across dark cables / leased lines.

There are two parts of IPsec security suite
– ESP – Encapsulating Security Payload
– AH – Authentication Header

Based on our situation we can configure two different modes of operation and here we are to make the things clear about the differences and the technology behind those modes.

IPSec Transport Mode and Tunnel Mode

/31 subnet in point-to-point links. Is that possible?

subnet /31

Ok, this is strange! At least this was my first reaction when I saw that in one of my CCIE labs that I am trying to resolve all the links between routers are addresses with a subnet /31.

Isn’t that weird that something like this you see for this first time after couple of years in networking. For me it was. It blow my mind out. I asked my more experienced networking colleagues later but for them it seemed new too. They said at first: Ok men, that’s not possible!

Well, try to type it on router interface and you will se that it is possible. It strange for sure, but it’s possible. Router OS (Cisco IOS in this case) will try to be sure that you will use this kind of subneting only for Point-to-point links. That’s why it will issue a warning message if you apply this subnet mask on an Ethernet interface. For serial it will go without the warning.

The idea behind this is of course simple if you put it this way:

BGP dampening – punishment for unstable BGP prefixes

BGP prefix flapping can be caused by different issues in network. Basically every unstable network where links are unreliably and are going up and down here and there can cause BGP prefix flapping. Every prefix flap will cause some networks to became unreachable. BGP process will then need to recalculate best-path in order to hopefully find other way to get towards unreachable network.

Impact on the network can be enormous as one network prefix missing can mean that huge number of other networks will change the path on which they are reachable. In the situation of prefix flap we have the prefix going up and down all the time. After every status change all those efforts of finding new best-path are done, and when the prefix comes back, everything is calculated again and becomes like before. We have a way to cut the impact of flapping prefixes.

By implementing BGP prefix dampening. When configured, dampening will punish those prefixes that are changing state from reachable to unreachable few time in determined time period. After every flap BGP will give to that prefix a defined penalty of 1000 by default. The penalty points will immediately start to be reduced exponentially but if the prefix flaps more times in little time period he will surely collect enough point to reach Suppress Limit and BGP will at that point mark the prefix as damped. It means that it will immediately suppress the advertisement of the prefix until the penalty points do not fall below Reuse Limit which is 1000 by default. Suppress limit is 2000 by default and yes, there will be needed for prefix to flap three times in order to be suppressed by default (you need to count that the first penalty will be 1000, next one also 1000, but the first one will fall at least by 1 to 999 before second flap occurs.)

Source-based routing in IPv4 and IPv6 networks

In my current studies, I did some work about security inside networking data paths. In my recent work, I tried to get some experiments done that needed to use source based routing in order to be completed. Like most of the scientific work that tries to get from paper to experiment and then to something useful, it failed at the very beginning. If I can be more precise and improve a bit the appearance of my failure here. I can do it by explaining what happened and what did I came across while researching my idea. It’s something as simple as this:

Source based routing, by the suggestion of IETF needs to be disabled by default on networking devices. At least it should be as the feature itself is recognised as a major security threat and IETF itself is trying to get rid of it.

Of course that can be considered like a stop sign in an experiment where you are relying solely on source based routing to get your thing running.   (:

When you look at the networking technology these days that’s probably IP protocol that you are talking about. Okay maybe you are new age junkie and you are probably speaking about IPv6 protocol. Either way, the very first and main principle of routing packet across data network is based on the destination IP address routing/decision making. Router is making decision on where will he send some packet based more or less solely on destination IP address. It is doing so by reading his locally built routing table of destination subnets. From that table router gets the info out of which interface will he sent the packet that is destined for some address.

BGP communities

O men, when you start to write about BGP it is probably the time then you seriously start questioning yourself where did I go with myself. That is probably the moment in which you realize that there is a network geek sitting somewhere inside you. At least that is what happened to me when I finished to write this huge post. Don’t be scared, it’s fun to know about this thing below.

Simple start

Every local network is managed by his own network administrator. If the network become big enough and there are more than few sub-segments inside that network there will probably be some kind of routing protocol running inside. That routing protocol will be IGP or interior gateway protocol more probably OSPF as it’s vendor independent.

When we want to connect our network to other networks across the world, we are trying to connect it to the internet. The Internet is the network connecting most of the networks today and in that way it became the biggest inter-networking system in the world. To be able to get that huge network to function and get our LANs to act jointly there must be a routing protocol that enables it.

BGP – Border Gateway Protocol is that one.

Every individual network has his own policies that are enabling that network to behave as the administrator want. When connection networks to the internet network all those policies need to be tied together with BGP protocol in order to influence outside communication entering the local network and communications initiated from the local network going outside somewhere on the internet. This is done using more that few different BGP attributes. Those attributes are forwarded across specific prefixes. Sometimes those attributes are not only forwarded but also modified on the way, one of which is the community attribute.