Transcription

1

2

3 iii I TCP UDP ICMP II IPFilter private address spoofing IP ICMP Mail Web DNS query

4 iv 4 RIP RIP Quagga Quagga zebra ripd Quagga VTY RIP OSPF OSPF (LSA) OSPF ospfd ospf router ospf rip interface OSPF BGP BGP BGP bgpd bgpd BGP

5 NAT N.0/24 IP NAT DNS (/etc/rc.conf named_enab="no" ) Ethernet PCMCIA # ifconfig ue0 ue0: flags=108843<up,broadcast,running,simplex,multicast> mtu 1500 options=8<vlan_mtu> ether 00:09:5b:bc:01:8f media: Ethernet autoselect (none) status: no carrer ifconfig ue0 1.2 le0 IP N.M/24 N M ue0 IP N.1 kterm ping ( ping ) arp -a ue0 IP N.0/ N.1/30 IP N.2/30 N 1 4 N 1 IP ping ifconfig ue0 PC IP IP 1.5 NAT /etc/rc.conf ( N.0/24 )

6

7 3 2 I ( ) ( ) ( ) IP,, (TCP,UDP,ICMP) IPFilter, IPFW(FreeBSD), PF, screend, IPCHAIN(Linux) IPFilter OS (Solaris ) IPFilter FreeBSD IPFW(IPFirewall),IPFilter,PF IPFW IPFW IPFilter IPFW OS PF OpenBSD OpenBSD IPFilter OpenBSD IPFilter IPFilter IPFilter NAT OS 2.1 TCP/IP

8 4 2 I TCP/IP 2 TCP 2 IP,Port, IP,Port 2 IP,Port mail MTA mail-server,25 2 IP,Port, IP,Port TCP ( UDP TCP UDP ) 1023 Unix root ( ) Unix Unix OS FreeBSD Linux NIS TCP TCP TCP TCP TCP TCP TCP 2byte 10 15

9 bit 10 URG 11 ACK 12 PSH 13 RST 14 SYN 15 FIN TCP (RFC793) 1. (a) SYN SENT (3 ) (b) ESTABLISHED (c) FIN WAIT 1, FIN WAIT 2 (half-closed) (d) TIME WAIT (e) CLOSED 2. (a) LISTEN (b) SYN RECVD (c) ESTABLISHED (d) CLOSE WAIT (e) LAST ACK (f) CLOSED SYN ACK ACK(,PSH,URG) FIN,ACK SYN,ACK ACK(,PSH,URG) ACK FIN,ACK ACK 3 setup established ( ) SYN ACK

10 6 2 I SYN ( ) SYN ACK IPFilter ( UDP,ICMP IPFW ) (stateful) (stateless) (Sequence Number) (ACK Number) (Sequence Number ACK Number Sequence Number ) UDP UDP TCP UDP DNS DNS ( ) UDP TCP DNS DNS TCP DNS TCP ( DoS DNS DNS ) UDP IP,Port, IP,Port IP,Port UDP ICMP ICMP (Internet Control Message Protocol) TCP,UDP ( ) IP ping ICMP ICMP 1byte

11 type message ipf 0 Echo Reply echorep 3 Host Unreacheable unreach 4 Source Quench squench 5 Redirect redir 8 Echo echo 9 Router Advertisement routerad 10 Router Solicitation routersol 11 Time Exceeded timex 12 Parameter Problem paramprob 13 Time Stamp timest 14 Time Stamp Reply timestrep 15 Information Request inforeq 16 Information Reply inforep 17 Address Mask Request maskreq 18 Address Mask Reply maskrep Echo, Echo Reply Echo Reply Host Unreacheable Source Quench Redirect Router Solicitation, Router Advertisement Time Exceeded TTL(Time To Live) 0 Fragmentation Parameter Problem Time Stamp, Time Stamp Reply

12 8 2 I Information Request, Information Reply IP Information Reply Address Mask Request, Address Mask Reply ICMP ( ) 2. IP 3. IP 4. (NAT ) 5. IP 1. Mail Server SMTP 2. SMTP 3. DNS(, ) UDP 4. DNS 5. WWW 6. WWW 7. NTP NTP Network Time Protocol NTP Cisco FreeBSD IPFilter FTP

13 9 3 II 3.1 IPFilter IPFilter make (Solaris solaris) make install FreeBSD OS make ( Solaris SunOS5/ make package pkg pkgadd ) FreeBSD NAT IPFilter IPFilter OS FreeBSD 1. /usr/src/sys/i386/conf (GENERIC LINT) ( ) 2. config MYKERNEL # config MYKERNEL 3. make config../compile/mykernel

14 10 3 II # make depend # make 4. # make install # shutdown -r now /boot/kernel/ /boot/kernel.old/ /boot/kernel.old/ mv /boot/kernel.old /boot/kernel.org /kernel.org make 5. 9 ok /boot/kernel.org/ ( /boot/kernel.old/ ) ok unload ok load /boot/kernel.old/kernel ok boot /boot/kernel.old/ ( kernel.org ) loader prompt 6

15 3.1. IPFilter NAT /sys/i386/conf/ ( /usr/src/sys /usr/src/sys/i386/conf/ ) /sys/i386/conf/generic LINT LINT LINT (LINT make LINT ) GENERIC ( MYKERNEL) options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding MYKERNEL GENERIC ( /var/log/messages GENERIC ) ident MYFIREWALL (/etc/rc.conf)

16 12 3 II /etc/ipf.rules pass in all pass out all /etc/rc.conf ipfilter_enable="yes" ipnat_enable="no" ipmon_enable="yes" tcp_drop_synfin="yes" # Set to YES to enable ipfilter functionality # Set to YES for ipnat; needs ipfilter, too! # Set to YES for ipmon; needs ipfilter, too! # Set to YES to drop TCP packets with SYN+FIN icmp_drop_redirect="yes" # Set to YES to ignore ICMP REDIRECT packets icmp_log_redirect="yes" # Set to YES to log ICMP REDIRECT packets /etc/default/rc.conf /etc/defaults/rc.conf # /etc/defaults/rc.conf ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see ipfilter_flags="" # /usr/src/contrib/ipfilter/rules for examples # additional flags for ipfilter /etc/rc.conf FreeBSD /etc/rc.conf # /etc/rc.d/ipfilter start ipfilter # /etc/rc.d/ipfilter reload OS # ipf -Fa -f /etc/ipf.rules ( telnet ) tcpdump wireshark

17 3.1. IPFilter IPFilter ipf ipfstat ipftest ipnat NAT ipmon ipresend IP FreeBSD ipf,ipnat,ipfstat,ipmon,ipresend /sbin ipf, ipfstat, ipftest ipf ipf # ipf -Fa -Z -f /etc/ipf.rules (-Fa) /etc/opt/ipf/ipf.conf (-Z) ipfstat

18 14 3 II bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 0 passed 113 nomatch 0 counted 0 short 0 output packets: blocked 0 passed 78 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 19 (out): 45 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 0 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 2216 Packet log flags set: (0) none -s -i -o ( input -o output ) IP -s -i -o # /sbin/ipfstat -io pass out quick on OUTIF proto tcp/udp from /24 to any keep state pass out quick on OUTIF proto icmp from /24 to any keep state block in on OUTIF from any to any block in quick on OUTIF from /12 to any block in quick on OUTIF from /8 to any block in quick on OUTIF from /8 to any block in quick on OUTIF from /3 to any pass in quick on OUTIF proto tcp/udp from /24 to any keep state -io IPFilter -i -i, -o -n

19 ipftest IPFilter IPFilter ipftest # ipftest -r ipf.rules -i data ipf.rules data data in on OUTIF tcp , ,80 TCP OUTIF IP Port Port 80 (pass) # ipftest -r ipf.rules -i data pass ip #0 40(20) ,20000 > , IPFilter [block pass] [in out] [quick,log,on IF] [proto {tcp/udp tcp udp icmp}] [IP-set] quick block pass (block,pass count,skip,auth,call ) in out on IF ifconfig lnc0 on lnc0 log ( ) quick ( head

20 16 3 II ) IPFilter quick proto 4 tcp/udp tcp udp icmp TCP UDP TCP UDP ICMP proto /etc/services OSPF pass in quick proto 89 all pass out quick proto 89 all (OSPF 89 ) proto IP-set from to any any 10/ /16 from /8 to /16 mask from mask to mask from any to any all WWW from any to port = 80 >< Port from any to port 5999 >< 6064

21 > <!= >= <= log ipmon IPFILTER_LOG ( ) ipmon /etc/rc.conf ipmon_enable="yes" ( ) ipmon_flags="-ds" # typically "-Ds" or "-D /var/log/ipflog" syslog local0.* /etc/syslog.conf ipmon_flags="-d /var/log/iplog" /var/log/iplog ( touch /var/log/iplog ) # /etc/rc.d/ipmon restart syslog /etc/syslog.conf *.emerg local0.* syslogd *.emerg * local0.* /var/log/iplog

22 18 3 II private address spoofing Internet private address private address OUTIF INIF # Deny reserved addresses from outside block in log quick on OUTIF from /8 to any block in log quick on OUTIF from /16 to any block in log quick on OUTIF from /12 to any /29 block in log quick on OUTIF from /29 to any block out log quick on OUTIF from any to /29 block in log quick on OUTIF from /8 to any block in log quick on OUTIF from any to /8 pass in quick on lo0 all pass out quick on lo0 all DHCP D,E block in quick on OUTIF from any to /8 block in quick on OUTIF from any to /16 block in quick on OUTIF from any to /24 block in quick on OUTIF from any to /4 block in quick on OUTIF from any to /4 draft-manning-dsua-03.txt /4

23 IP IP DoS IP rr ts ssrr lsrr block in log quick on OUTIF from any to any with opt rr block in log quick on OUTIF from any to any with opt ts block in log quick on OUTIF from any to any with opt ssrr block in log quick on OUTIF from any to any with opt lsrr in, out in, out Outside In Out FireWall out0 in0 Inside Out In 4 IPFilter head OUTIF pass in on OUTIF all head 100 pass block block

24 20 3 II block in on OUTIF all head 100 OUTIF 100 OUTIF 100 ( quick head quick head head quick ) block in on OUTIF all head 100 block out on OUTIF all head 200 pass in on INIF all head 300 pass out on INIF all head 400 # pass loop back on lo0 pass in quick on lo0 all head 500 pass out quick on lo0 all head 600 # Deny reserved addresses block in log quick from /8 to any group 100 block in log quick from /16 to any group 100 #block in log quick from /12 to any group 100 # Deny ip spoofing block in log quick on OUTIF from /29 to any group 100 block out log quick on OUTIF from any to /29 group 200 # loop back block in log quick from /8 to any group 100 block in log quick from any to /8 group 100 block in log quick from /8 to any group 300 block in log quick from any to /8 group 300 # other reserved address block in quick on OUTIF from any to /8 group 100 block in quick on OUTIF from any to /16 group 100 block in quick on OUTIF from any to /24 group 100 # block in quick on OUTIF from any to /4 group 100 # multicast block in quick on OUTIF from any to /4 group 100 # IP options block in log quick on OUTIF from any to any with opt rr group 100 block in log quick on OUTIF from any to any with opt ts group 100 block in log quick on OUTIF from any to any with opt ssrr group 100 block in log quick on OUTIF from any to any with opt lsrr group 100 group [number] lo0

25 /12 NAT NAT ( NAT ) NAT IP NAT 1 1 NAT ICMP ICMP ICMP ICMP ICMP type message in out 0 Echo Reply pass block 3 Host Unreachable pass pass 4 Source Quench pass pass 5 Redirect block block 8 Echo block pass 9 Router Advertisement block block 10 Router Solicitation block block 11 TTL Exceeded pass pass 12 Parameter Problem pass pass 13 Time Stamp block block 14 Time Stamp Reply block block 15 Information Request block block 16 Information Request Reply block block 17 Address Mask Request block block 18 Address Mask Request Reply block block

26 22 3 II 3 out 4 source quench Echo Reply ( IPFilter ) pass in quick proto icmp all icmp-type 0 group 100 pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 #pass in quick proto icmp all icmp-type 8 group 100 # for test pass in quick proto icmp all icmp-type 11 group 100 pass in quick proto icmp all icmp-type 12 group 100 #pass out quick proto icmp all icmp-type 0 group 200 # for test pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 pass out quick proto icmp all icmp-type 8 group 200 pass out quick proto icmp all icmp-type 11 group 200 pass out quick proto icmp all icmp-type 12 group 200 Echo ( ) Mail Web Web Web TCP 3 setup SYN SYN+ACK ACK ACK established setup IPFilter keep state keep state stateful TCP keep state TCP flags S SYN

27 (MAIL) pass in quick proto tcp from any to MAIL port = 25 flags S keep state group 100 pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200 Web server(www) pass in quick proto tcp from any to WWW port = 80 flags S keep state group 100 pass out quick proto tcp from any to any port = 80 flags S keep state group 200 Web 80 from any IP 1. flags S flags S flags SYN U(RG),A(CK),P(SH),R(ST),S(YN),F(IN) ( U,A,P,R,F ) SA (SYN+ACK) flags S/SA SA SYN S/SA S U,P,R,F SF SA S UAPRSF SF SA SF & SA S SAF SAF(010011) SA(010010) (010010) S(000010) SAF flags S/SA flags /S flags S/SA SF RFC1322 TCP/IP Web SF SR,SU,SP

28 24 3 II flags S SF flags S/SUAPR 2. keep frags SYN keep state keep frags ( ) pass in quick proto tcp from any to WWW port = 80 flags S keep state keep frags group 100 pass out quick proto tcp from any to any port = 80 flags S keep state keep frags group 200 ( ) Mail NTP (Network Time Protocol port=123) NNTP(Network News Transfer Protocol port=119) mail DNS query DNS query DNS 53 DNS query UDP (TCP DNS ) stateless UDP DNS 53 IPFilter keep state pass in quick proto udp from any to MYDNS port = 53 group 100 pass in quick proto udp from any port = 53 to any group 100 pass out quick proto udp from MYDNS port = 53 to any group 200 pass out quick proto udp from any to any port = 53 group 200 MYDNS DNS to any from any stateless stateful

29 pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from any to any port = 53 keep state group 200 DNS port 53 pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from MYDNS port = 53 to any port = 53 keep state group 200 nslookup DNS query response DNS UDP 53 (DNS 53 ) pass out quick proto tcp from INSIDE port >= 1024 to any flags S keep state keep frags group 200 ( ) INSIDE IPFilter keep state TCP UDP ICMP 60 ICMP ICMP traceroute block ICMP pass out proto udp from any to any port >< keep state group 200 ICMP Echo ICMP EchoReply pass out proto icmp from INSIDE to any icmp-type echo keep state group SSH(Secure SHell)

30 26 3 II SSH 22 SSH pass in quick proto tcp from any port >= 1024 to SSH port = 22 flags S keep state keep frags gorup 200 ( ) quick block in from any to INSIDE port < 1024 group 100 ICMP unreachable IP IP IP ( ) # block with port unreachable block return-icmp-as-dest(port-unr) in from any to INSIDE port < 1024 group lister 1433 SQLSPIDA 1434 Slammer for MS SQL 1524 ingreslock 2000 openwin 2049 NFS 2766 listner(systemv) X IRC 7100 Sun Font server(tcp)

31 # block in on OUTIF all head 100 block out on OUTIF all head 200 pass in on INIF all head 300 pass out on INIF all head 400 # pass loop back on lo0 pass in quick on lo0 all head 500 pass out quich on lo0 all head 600 # block in log quick from any to any with ipopts group 100 block in log quick proto tcp from any to any with short group 100 # # Deny reserved addresses block in log quick from /8 to any group 100 block in log quick from /16 to any group 100 #block in log quick from /12 to any group 100 # # Deny ip spoofing block in log quick from /29 to any group 100 block out log quick from any to /29 group 200 # # block from loop back address block in log quick from /8 to any group 100 block in log quick from any to /8 group 100 block in log quick from /8 to any group 300 block in log quick from any to /8 group 300 # # /* */

32 28 3 II # block other reserved address block in quick from any to /8 group 100 block in quick from any to /16 group 100 block in quick from any to /24 group 100 # block in quick on OUTIF from any to /4 group 100 # multicast #block in quick from any to /4 group 100 # block irregular IP options block in log quick from any to any with opt rr group 100 block in log quick from any to any with opt ts group 100 block in log quick from any to any with opt ssrr group 100 block in log quick from any to any with opt lsrr group 100 # # ICMP pass in quick proto icmp all icmp-type 0 group 100 # for test pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 pass in quick proto icmp all icmp-type 8 group 100 # for test pass in quick proto icmp all icmp-type 11 group 100 pass in quick proto icmp all icmp-type 12 group 100 pass out quick proto icmp all icmp-type 0 group 200 # for test pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 #pass out quick proto icmp all icmp-type 8 keep state group 200 pass out quick proto icmp all icmp-type 8 group 200 # for test pass out quick proto icmp all icmp-type 11 group 200 pass out quick proto icmp all icmp-type 12 group 200 # pass in quick proto icmp all icmp-type 0 group 300 pass in quick proto icmp all icmp-type 3 group 300 pass in quick proto icmp all icmp-type 4 group 300 pass in quick proto icmp all icmp-type 8 group 300 pass in quick proto icmp all icmp-type 11 group 300 pass in quick proto icmp all icmp-type 12 group 300 pass out quick proto icmp all icmp-type 0 group 400 pass out quick proto icmp all icmp-type 3 group 400 pass out quick proto icmp all icmp-type 4 group 400 pass out quick proto icmp all icmp-type 8 group 400 pass out quick proto icmp all icmp-type 11 group 400 pass out quick proto icmp all icmp-type 12 group 400 # # default block access to FIREWALL from outside block return-icmp-as-dest(port-unr) in from any to FIREWALL group 100 # # ssh to FIREALL from inside pass in quick proto tcp from any to FIREWALL port = 22 # # /* */ flags S keep state keep frags group 300

33 # traceroute to outside pass out proto udp from any to any port >< keep state group 200 # DNS pass in quick proto udp from any to MYDNS port = 53 keep state group 100 pass out quick proto udp from any to any port = 53 keep state group 200 # mail pass in quick proto tcp from any to MAIL port = 25 flags S keep state group 100 pass out quick proto tcp from MAIL to any port = 25 flags S keep state group 200 # WWW pass in quick proto tcp from any to WWW port = 80 flags S keep state group 100 pass out quick proto tcp from any to any port = 80 flags S keep state group 200 # # # write any services to pass WWW,MAIL,FIREWALL IP mail gateway DNS rule ipftest SYN ICMP tcp in on OUTIF tcp , ,80 out on OUTIF tcp , ,20000 SA in on OUTIF tcp , ,80 out on OUTIF tcp , ,20000 A in on OUTIF tcp , ,80 out on OUTIF tcp , ,20000 FA in on OUTIF tcp , ,80 in on OUTIF tcp , ,80 out on OUTIF tcp , ,20000 A , ,80 TCP S A A A FA

34 30 3 II in on OUTIF tcp , ,80 in on OUTIF tcp , ,80 in on OUTIF tcp , ,80 in on OUTIF tcp , ,80 ICMP in on OUTIF icmp echo in on OUTIF icmp echorep in on OUTIF icmp unreach ICMP IPFilter ICMP type unreach, echo, echorep, squench, redir, timex, paramprob, timest, timestrep, inforeq, inforep, maskreq, maskrep, routerad, routersol UDP keep state keep state IP TCP man IPFilter S SA SFP SPU

35 /etc/ipf.rules pass in all pass out all /etc/rc.conf ipfilter_enable="yes" 3.2 ICMP ipftest ( ) 3.3 ICMP ping quick log ( ) ping ipfstat -io 3.4 ICMP ping ( ) log

36 32 3 II (TCP port 25) DNS(UDP port 53) ipftest (port 25 tcp port53 UDP ) 3.6 ( ) ipftest TCP,UDP 3.7 spoofing, loopback 10/8, /24, /24 head, group 4

37 33 4 RIP RIP 4.1 ( ) ( forwarding) A B x y w z A B ( A,B,x,y,z,w ) A B A ( ) x z A x,z y w A x A,z,y A B 1 A->x->y->B 3 A->z->x->y->B 4 A->z->w->B RIP RIP ( )

38 34 4 RIP (Poison reverse) RIP A B B z ( ) OSPF Internet Exterior Gateway Protocol (EGP) Interior Gateway Protocol (IGP) EGP IGP ( IGP ) IGP EGP IGP EGP BGP4 (Border Gateway Protocol version 4) IGP IS-IS, OSPF, RIP OSPF( Open Shortest Path First) (IETF: Internet Engineering Task Force) RIP (Routing Informationn Protocol) RIP,OSPF BGP ( Distance Vector Type) (Link State Type) RIP BGP IS-IS OSPF

39 4.2. RIP RIP ( ) A,B B /24 A /24 B B A B A /24 A,B C,D C A D B,C B D B /24 2 D B,D B /24 3

40 36 4 RIP 1 D B /24 3 C D C /24 3 D C /24 2 D C /24 4 D D 1 B / C / /24 B D A B,C D B,C B B 1 A / D / ( ) A /24 RIP A ( Poison reverse (16) ) B

41 4.2. RIP 37 B 1 D /24 4 B D /24 D ( C ) D 1 B /24 5 B 6 B 1 D /24 6 ( ) RIP 16 RIP RIP ( ) 16 ( 15 ) 15 RIP ( RIP 30 ) BGP ( ) BGP RIP (1 2 ) RIP ( ) OSPF OSPF RIP OSPF RIP

42 38 4 RIP 4.3 Quagga Quagga Unix zebra bgpd, ripd, ospfd Quagga Zebra (ZebOS ) Zebra Quagga Zebra Quagga 0.99 Quagga Zebra zebra Quagga Quagga Quagga /usr/local/share/examples/quagga/ bgpd.conf.sample ospfd.conf.sample vtysh.conf.sample bgpd.conf.sample2 ripd.conf.sample zebra.conf.sample ospf6d.conf.sample ripngd.conf.sample Cisco CUI (CLI) (Quagga VTY ) Quagga FreeBSD /etc/services Quagga

43 4.3. Quagga 39 zebrasrv 2600/tcp #zebra service zebra 2601/tcp #zebra vty ripd 2602/tcp #RIPd vty ripngd 2603/tcp #RIPngd vty ospfd 2604/tcp #OSPFd vty bgpd 2605/tcp #BGPd vty ospf6d 2606/tcp #OSPF6d vty zebra zebra zebra zebra.conf! zebra configuration! hostname pcss001 password zebra enable password zebra service password-encryption log file /var/log/zebra.log! interface le0! multicast interface ue0 multicast! shutdown!!ip route / ! hostname zebra password view enable password

44 40 4 RIP service password-encryption write ( ) log file interface write shutdown ip route static ripd, ospfd static (redistribute) /etc/rc.conf static routing zebra RIP ip route zebra.conf Quagga ripd RIP ripd.conf ripd.conf RIP zebra

45 4.3. Quagga 41!! $Id: ripd.conf, 2008/04/01 $! hostname pcss001 password zebra!! debug rip events! debug rip packet! router rip! network ue0 network le0! network /0! network eth0! distribute-list private-only!! access-list private-only permit /8! access-list private-only deny any!! log file /var/log/ripd.log! log stdout router rip RIP network <interface name> RIP IP network /24 log stdout log file /var/log/ripd.log

46 42 4 RIP 1. passive-interface <interface name> RIP 2. deault-information originate RIP default RIP 3. redistribute connected RIP 4. redistribute ospf OSPF RIP 5. redistribute bgp BGP RIP 6. redistribute static Quagga RIP 7. redistribute kernel RIP Quagga zebra, ospfd, bgpd, ospf6d,ripd,ripngd -d /usr/local/etc/rc.d/quagga start, stop, restart (Zebra zebractl Quagga ) # zebra -d # ripd -d /etc/rc.conf quagga_enable="yes" /usr/local/etc/rc.d/quagga # /usr/local/etc/rc.d/quagga start stop, restart /etc/rc.conf watchquagga_enable="yes" /usr/local/etc/rc.d/watchquagga (watchquagga Quagga ) # /usr/local/etc/rc.d/watchquagga start stop, restart

47 4.3. Quagga VTY RIP zebra ripd ( zebra Quagga ) zebra VTY zebra (zebra.conf.sample zebra.conf copy ) # telnet localhost zebra (VTY ) # telnet localhost zebra Connected to localhost. Escape character is ^]. Hello, this is zebra (version 0.93b). Copyright Kunihiro Ishiguro. User Access Verification Password: Router> view privileged ( ) config ( ) help? VTY >? enable exit help list quit show who Turn on privileged mode command Exit current mode and down to previous mode Description of the interactive help system Print command list Exit current mode and down to previous mode Show running system information terminal Set terminal line parameters Display who is on vty show

48 44 4 RIP > show? debugging Zebra configuration history Display the session command history interface Interface status and configuration ip ipv6 memory version > show IP information IPv6 information Memory statistics Displays zebra version? help TAB > show ip? forwarding IP forwarding status route IP routing table zebra K C S zebra R,O,B RIP,OSPF,BGP > show ip route Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, B - BGP, > - selected route, * - FIB route S>* /0 [1/0] via , le0 C>* /24 is directly connected, le0 K>* /32 via , lo0 C>* /8 is directly connected, lo0 privileged( ) enable (en) pc2f001-zebra> en Password: pc2f001-zebra# Quagga VTY write # write Configuration saved to /usr/local/etc/quagga/zebra.conf write terminal write terminal show running-config (

49 4.3. Quagga 45 ) show startup-config VTY ^P tcsh ripd VTY ripd VTY zebra ripd VTY > telnet localhost ripd zebra view mode enable ÁŒ mode configure terminal rip Ý è mode Ý è mode router rip interface <if-name> interface Ý è mode? quit( exit) end exit VTY write vtysh vty vtysh -c [ ]

50 46 4 RIP # vtysh -c sh ip rip 4.4 RIP RIP RIP VTY show ip rip / /24 RIP Metric 3 Metric /24 RIP show ip rip /24 Metric /24 ( Poison reverse (cost 16) ) Quagga Metric 16 (Poison reverse )

51 4.4. RIP /24 ( /24 )

52 48 4 RIP Quagga pkg_add -r quagga 4.2 RIP OSPF # out0, in0 pass in on out0 all head 100 pass out on out0 all head 200 pass in on in0 all head 300 pass out on in0 all head 400 # pass in quick on lo0 all pass out quick on lo0 all # # ICMP pass in quick proto icmp all icmp-type 0 group 100 pass in quick proto icmp all icmp-type 3 group 100 pass in quick proto icmp all icmp-type 4 group 100 pass in quick proto icmp all icmp-type 8 group 100 pass in quick proto icmp all icmp-type 11 group 100 pass out quick proto icmp all icmp-type 0 group 200 pass out quick proto icmp all icmp-type 3 group 200 pass out quick proto icmp all icmp-type 4 group 200 pass out quick proto icmp all icmp-type 8 group 200 pass out quick proto icmp all icmp-type 11 group 200 # block in quick proto icmp all group 100 block out quick proto icmp all group zebra.conf static default default # route delete default zebra default

53 RIP ripd.conf ( ) router rip... passive-interface ue0! RIP default-information originate! defaultrouting zebra rip 4.5 zebra rip zebra ( ) # route delete default zebra rip 4.6 zebra, rip telnet localhost ripd RIP show rip

54

55 51 5 OSPF RIP ( ) OSPF(Open Shortest Path First) IS-IS(Intermediate System-to-Intermediate System) OSPF 5.1 OSPF (Link State) OSPF OSPF ( LSA: Link State Advertisement) LSA LSA (LSDB: Link State Database) Shortest Path First(SPF) OSPF (IGP IS-IS ) RIP OSPF (2byte) A B A OSPF LSA OSPF

56 52 5 OSPF (LSA) (LSA) LSA LSA LSA (flooding: ) LSA (flood) LSA LSDB LSA OSPF LSA 3 LSA 3 LSA 2 LSA 3 9 LSA LSA 12 LSA ( 5.1) 5.1: LSA OSPF (Designated Router:DR) LSA LSA 3 ( 5.2) DR DR OSPF DR (Backup Designated Router:BDR) BDR DR

57 5.1. OSPF : LSA LSA LSA LSDB ( LSA LSDB ) LSA LSA OSPF LSA Router LSA ( Router LSA ) hello hello LSA hello ( RIP RIP ) Network LSA Network LSA OSPF LSA ( ) OSPF (AllSPFRouters: AllDRouters: ) ( OSPF ) OSPF (Zebra )

58 54 5 OSPF 5.2 TCP/IP IGMP(Internet Group Management Protocol) IGMP L2 L3 L2 L3 IP ( L3 ) OSPF IP /4 AllSPFRouters( ) IGMP OSPF LSA LSA 5.3 OSPF OSPF OSPF CPU OSPF OSPF LSA (Router LSA Network LSA) Summary LSA LSA 32bit ID (IP 1byte x.x.x.x IP ) ( 5.3)

59 5.3. OSPF : OSPF Network (ABR: Area Border Router) Summary LSA ABR OSPF IGP BGP OSPF AS (ASBR: AS Border Router) AS OSPF (AS external LSA) LSA ( AS external LSA ) 1. AS (Autonomous System) AS AS AS OSPF 0 1,2 1 1 ABR SummaryLSA 2 ABR 2 3

60 56 5 OSPF 5.4: 3 3 R3 SummaryLSA R1 2 3 ( ) LSDB OSPF 2 R2 1 3 Network LSA Router LSA Summary LSA OSPF OSPF ( RIP ) OSPF ( ) OSPF Summary OSPFv3 OSPF

61 5.4. ospfd ospfd ospfd OSPF zebra! OSPFDd config! hostname pcs001-ospfd password zebra enable password zebra service password-encryption log file /var/log/ospfd.log! router ospf! ospf router-id network /29 area 0 network /24 area 0 line vty router ospf OSPF 1. router ospf OSPF 2. ospf router-id <32bit > Router ID Router IP 32bit ( ) ( IP x.x.x.x ) RouterID designated router( ) ip ospf priority 3. network <network/mask> area <area ID> OSPF network OSPF ( ) 0 32bit ( ) ospfd ( Quagga ) VTY VTY config router interface line (VTY write )

62 58 5 OSPF! ospf config!! [ ] interface fxp0...! [ fxp0 ] interface rl0...! [ rl0 ] router ospf! [ ospf ] line vty [ VTY ] (IP up ) VTY ( zebra ) Quagga no ospf router ospf router ( ) 1. passive-interface <interface name> 2. auto-cost reference-bandwidth < > OSPF ( ) N = (M bps) N M 10 10M 100

63 5.4. ospfd OSPF N N 100 1Gbps N 1000 ( N 10 ) 10G N 10 N 3. area <area ID> virtual-link <router ID> area ID IP (x.x.x.x) 32bit( ) router ID ABR(Area Border Router) ID ID IP IP ID ABR 4. default-information originate ASBR(AS ) external LSA default ASBR ospf rip OSPF RIP RIP RIP OSPF Quagga rip ospf zebra 1. redistribute rip ospf rip zebra ospf OSPF zebra rip 2. redistribute connected ospf rip ospf rip ospf rip rip zebra ospf OSPF

64 60 5 OSPF 1. rip rip ospf ( rip ospf ) rip ospf redistribute ripd.conf (a) redistribute ospf (b) redistribute connected interface OSPF 1. ip ospf priority <0-255> ( ) 0 2. ip ospf cost < > OSPF 9 11 ( ) 5.5 OSPF OSPF traceroute traceroute UDP TTL ICMP unreachable (OSPF ) OSPF OSPF ICMP redirect ICMP redirect

65 5.5. OSPF 61 ( OSPF default ) # route flush OSPF ospf ( LSA ) ospf ospfd VTY (view ) 1. show ip ospf OSPF ospfd# show ip ospf OSPF Routing Process, Router ID: Supports only single TOS (TOS0) routes This implementation conforms to RFC2328 RFC1583Compatibility flag is disabled SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Refresh timer 10 secs Number of external LSA 1 Number of areas attached to this router: 1 Area ID: (Backbone) Number of interfaces in this area: Total: 2, Active: 4 Number of fully adjacent neighbors in this area: 3 Area has no authentication SPF algorithm executed 40 times Number of LSA 9 RouterID AS external LSA areaid:0 ( Number of fully adjacent neighbors in this area:) LSA 2. show ip ospf interface

66 62 5 OSPF ospfd# show ip ospf interface rl0 is up, line protocol is up Internet Address /29, Area Router ID , Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) , Interface Address Backup Designated Router (ID) , Interface Address Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:01 Neighbor Count is 2, Adjacent neighbor count is 2 rl0 rl /29 IP area 0 RouterID State DR (DR) Backup DR Timer intervals Hello 10 Dead 40 (Dead WaitTimer ) LSA 5 (adjacent neighbor) (adjacent neighbor ) fxp0 fxp0 is up, line protocol is up Internet Address /24, Area Router ID , Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State Backup, Priority 1 Designated Router (ID) , Interface Address Backup Designated Router (ID) , Interface Address Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Neighbor Count is 1, Adjacent neighbor count is 1 rl0 DR (ID ) Backup DR ( IP Backup Desinated Router IP ) (lo0)

67 5.5. OSPF 63 faith0 is down, line protocol is down OSPF not enabled on this interface lo0 is up, line protocol is up OSPF not enabled on this interface ppp0 is down, line protocol is down OSPF not enabled on this interface sl0 is down, line protocol is down OSPF not enabled on this interface 3. show ip ospf neighbor ospfd# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL Full/DROther 00:00: rl0: Full/DR 00:00: fxp0: Full/Backup 00:00: fxp0: State Full twoway Full twoway(dr ) DR Bakcup 4. show ip ospf route ospf LSA DR AS external LSA

68 64 5 OSPF ospfd# show ip ospf route ============ OSPF network routing table ============ N /29 [10] area: directly attached to rl0 N /24 [10] area: directly attached to fxp0 N /24 [10] area: directly attached to fxp0 N /24 [10] area: directly attached to fxp0 ============ OSPF router routing table ============= R [10] area: , ASBR via , fxp0 ============ OSPF external routing table =========== N E /0 [10/10] tag: 0 via , fxp0 5. show ip ospf database LSDB(LinkStatus Database) LSA Age LSA Age LSA ( ) OSPF LSA 3600sec(1 ) 30 (1800sec) LSA OSPF 1800sec 1

69 5.5. OSPF 65 ospfd# sh ip ospf database OSPF Router with ID ( ) Router Link States (Area ) Link ID ADV Router Age Seq# CkSum Link count x x193f x x6a x xaf6b x x0d x xfb x a 0xea04 2 Net Link States (Area ) Link ID ADV Router Age Seq# CkSum x xed x x x x1d23 AS External Link States Link ID ADV Router Age Seq# CkSum Route x x8fbc E /0 [0x0]

70 66 5 OSPF Quagga /usr/local/etc/quagga/ripd.conf RIP ospf 5.2 default-information originate passive-interface ue0 OSPF Router-ID ( N.M ) IP OSPF OSPF 5.3 OSPF show ip ospf neighbor 5.4 (OSPF ) OSPF ( X.Y ) OSPF sh ip ospf route

71 67 6 BGP RIP,OSPF BGP EGP IGP 6.1 BGP BGP BGP RFC1771 RFC2545,2283 (IPv6 ) BGP BGP (AS: Autonomous System) AS AS AS (BR: Border Router) BGP AS AS AS AS (transit) BGP TCP (port179 ) BGP BGP TCP BGP (KeepAlive) (Notification) BGP BGP BGP ( ) BGP BGP BGP BGP AS (2byte) ( ) BGP RIB(Routing Information Base) BGP ASN AS ( ) BGP BGP ( ) AS ( /16 )

72 68 6 BGP 6.2 BGP BGP TCP (ASN,RouterID) BGP BGP AS BGP AS BGP Open ASN,BGP ID BGP ID(4byte) IP IP BGP ID ( ) Update BGP BGP Notification Notification( ) KeepAlive 6.3 BGP well-known( ) optional( ) BGP ORIGIN (Origin AS: AS)AS IGP IGP AS EGP EGP AS INCOMPLETE AS-PATH ASN

73 AS SET(AS ) AS ASN 10 AX/24 ASN 11 AY/24 A/ AS ( ) {10,11} A/16 AS SEQUENCE AS AS-PATH {10,11}-78 ( ) NEXT HOP BGP AS AS ( AS ) MULTI EXIT DISCRIMINATOR AS AS AS AS AS ( ) LOCAL PREF AS BGP AS X AS P,Q P,Q ATOMIC AGGREGATE BGP AS BGP BGP AS PATH AS AGGREGATOR AS AS 6.4 BGP BGP IX(Internet exchange) BGP BGP BGP

74 70 6 BGP RFC 6.5 bgpd 1 BGP bgpd.conf BGP IP {9,10,11} BGP , / BGP ASN , AS /29 AS AS / AS /

75 6.5. bgpd 1 71! BGPd config! hostname pc2f001-bgpd password zebra enable password zebra log file /var/log/bgpd.log! router bgp 65001! bgp router-id network /29! I-BGP router neighbor remote-as neighbor remote-as 65001! prefer this route neighbor remote-as neighbor!!redistribute static route-map LOCAL-PREF1 permit 10! match as-path R65010 set local-preference route-map LOCAL-PREF1 in ip as-path access-list R65010 permit ^65010_! --- end of config router bgp ASN BGP AS IP APNIC IGP ASN private AS number: ASN router AS BGP ibgp AS BGP ebgp 2. bgp router-id BGP-ID BGP-ID IP zebra bgpd

76 72 6 BGP zebra 3. network IPaddress/prefix 4. neighbor IPaddress remote-as ASN neighbor IP address ASN ibgp ebgp ASN 5. neighbor IPaddress route-map NAME [in out] (in) (out) route-map (NAME) route-map 6. neighbor IPaddress ebgp-multihop hop-count ebgp TTL(TimeToLive) ebgp TTL 1 hop-count neighbor ebgp-multihop 3 TTL 3 7. redistribute other-proto RIP OSPF other-proto IGP other-proto static,kernel, connected, rip, ospf 8. route-map NAME [permit deny] seq-num (NAME (seq-num) set (permit) (deny) 9. match cond ac-list-name route-map cond ip as-path

77 6.5. bgpd 1 73 as-path community extcommunity ip ipv6 metric origin AS BGP BGP/VPN IPv4 ll IPv6 BGP ac-list-name 10. set attribute-command attribute-command ( local-preference) set local-preference < > local-preference ebgp ( 100 ) (a) AS ( local-preference) (RFC1771) 11. ip as-path access-list ac-list-name [permit deny] reg AS (permit) deny ac-list-name route-map match reg ASN AS (_) AS ASN ( ASN ) ^65000_ _ $ BGP AS65002

78 74 6 BGP! BGPd config! hostname pc2f002-bgpd password zebra enable password zebra log file /var/log/bgpd.log! router bgp bgp router-id network /29! I-BGP router neighbor remote-as neighbor remote-as 65001! neighbor remote-as neighbor! route-map LOCAL-PREF2 permit 20! match as-path R65002 set local-preference route-map LOCAL-PREF2 in ip as-path access-list R65002 permit ^65002_ BGP AS ibgp NEXT-HOP (ebgp NEXT-HOP BGP ) BGP ibgp /24 ( RIB(Routing Information Base) BGP ibgp NEXT-HOP IGP(RIP OSPF) # route add -net / ( 172 ) Quagga RIP OSPF redistribute connected ( ) ripd.conf ospfd.conf BGP NEXT-HOP router bgp ( ibgp )

79 6.6. bgpd 2. 75!neighbor neighbor neighbor 1. next-hop-self next-hop-self next-hop-self next-hop-self ibgp NEXT-HOP ibgp NEXT-HOP 6.6 bgpd 2. AS /28 AS MED(Multi-Exit-Descriminator) MED AS BGP DV BGP BGP ( ) ( )! BGPd config! hostname pc2f003-bgpd!! neighbor route-map LOCAL-PREF2 in! neighbor!!! route-map LONG-PATH permit 40 match ip address MYNET route-map LONG-PATH out set as-path prepend ! access-list MYNET permit /29 ( )

80 76 6 BGP 1. access-list ac-list-name [permit deny] ip-range IP (permit) ac-list-name ( ) ip-range 2. match ip address ac-list-name IP 3. set as-path prepend AS-list AS-list ( AS path ) AS 65001,65001,65001,65001,65001 (5 ASN ) ( ) BGP /29 BGP 4. AS AS AS AS 6.7 BGP BGP traceroute bgpd VTY BGP OSPF 1. show ip bgp BGP BGP BGP

81 6.7. BGP 77 bgpd# show ip bgp BGP table version is 0, local router ID is Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP,? - incomplete Network Next Hop Metric LocPrf Weight Path * i / i * i i *> i *>i / i Total number of prefixes 2 ( ) > Next Hop LocPrf Path i, e,? IGP(Internal-GP) EGP(External-GP)? Incomplete( ) 2. show ip bgp IP[/prefix] IP BGP bgpd# show ip bgp /29 BGP routing table entry for /29 Paths: (2 available, best #2, table Default-IP-Routing-Table) Not advertised to any peer from ( ) Origin IGP, localpref 150, valid, internal, best Last update: Thu Jun 23 14:34: from ( ) Origin IGP, metric 0, localpref 200, valid, external Last update: Thu Jun 23 14:21: show ip bgp neighbors [peer-ip] BGP IP peer-ip

82 78 6 BGP bgpd# show ip bgp neighbors BGP neighbor is , remote AS 65010, local AS 65001, external link BGP version 4, remote router ID BGP state = Established, up for 00:18:25 Last read 00:00:25, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received (old and new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 1 1 Notifications: 0 0 Updates: 1 1 Keepalives: Route Refresh: 0 0 Cpability: 0 0 Total: Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Community attribute sent to this neighbor (both) Inbound path policy cofigured Outbound path policy configured Route map for incoming advertisements is *LOCAL-PREF1 1 accepted prefixes Connections established 2; dropped 0 Last reset 00:18:36, due to Peer closed the session Local host: , Local port: Foreign host: , Foreign port: 179 Nexthop: Nexthop global: fe80::290:27ff:feba:aff5 Nexthop local: :: BGP connection: non shared network Read thread: on Write thread: off show ip bgp summary

83 6.7. BGP 79 bgpd# show ip bgp summary BGP router identifier , local AS number BGP AS-PATH entries 0 BGP community entries Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd :06: :19: :24: show ip bgp paths BGP bgpd# show ip bgp paths Address Refcnt Path [0x :0] (5) [0x :201207] (1) [0x :19968] (1) [0x82187f0:120316] (1) [0x82187b0:59903] (3) VTY bgpd Soft reconfig bgpd# clear bgp * soft

84 80 6 BGP BGP AS ( ) AS RouterID IP next-hop-self i-bgp BGP show ip bgp 6.2 show ip bgp neighbors