Blogs
- Mastering DHCP Snooping: Enhance Your Network Security
- Automate Meraki Device Renaming
- Securing Your Network Access with 802.1X
- OpenSSL cheatsheet
- 802.1x EAP peap and EAP tls
- BGP Internet Edge
- Sumologic Troubleshooting
- Firewall Benefits
- Meraki
- Napalm Python
- SumoLogic SEIM
- Layer 1 and 2 checklist
- Automating OS Upgrade
- Netmiko
- TCPDUMP
- Multicast Notes
- MPLS Notes
- BGP Notes
- OSPF Notes
- Linux cheat sheet
- ISIS Notes
- TCP IP
TCP IP
IPV4 Header
- Version: ipv4 or ipv6
- IHL: Internet Header Length
- DSCP: QoS
- ECN: (Explicit Congestion Notification) end-to-end network notification congestion
- Total Length: length
- Identification: IP ID
- Flags: bit 0: Reserved must be 0 |bit 1: Don't Fragment (DF)|bit 2: More Fragments (MF) Fragment Offset
- Time To Live: TTl
- Protocol: example of protocol num 1 : ICMP | 2 : IGMP | 6 : TCP | 17: UDP | 41: ENCAP | 89: OSPF
- Header Checksum
- Source IP Address
- Destination IP Address
IPV6 Header
- Version: ipv6
- DSCP: QoS
- ECN: Explicit Congestion Notification (ECN)
- Flow Label: This label is used to maintain the sequential flow of the packets belonging to a communication. (20-bits)
- Payload Length:(16-bits)
- Next Header: This field is used to indicate either the type of Extension Header if TCP or UDP or ...(8-bits)
- Hop Limit: Time To Live(8-bits)
- Source IP Address
- Destination IP Address
IPv6 NDP
We have 5 types of messages
- when a host joins the network, it will send a ROUTER SOLICITATION to discover the ipv6 capable router
- source = link-local address of the host
- destination = ff02::2
- The router will send a ROUTER ADVERTISEMENT periodically and will reply to a ROUTER SOLICITATION with a unicast ROUTER ADVERTISEMENT.
- Source = link-local address of the host
- Destination = ff02::1 or IPv6 address of the host who sends the Router Solicitation
- Link prefixes, MTU, specific routes, if we are using SLAAC
- The function of arp is replaced by Neighbor Solicitation Host sends a Neighbor solicitation to discover its neighbour
- Source = IP = host ipv6
- Destination = IP = ff02::1:ff00:100
- The Neighbour advertisement is a reply message to the Neighbor Solicitation
- Destination and source are unicast
- Same as link ipv4, a redirect message
SLAAC_IP Stateless Address Autoconfiguration
example:
The migration techniques
1 - Dual-Stack:
TCP
1- Start the conversation:
- SYN send by host
- SYN-ACK reply by server
- ACK reply back from host
2- Conversation:
- The sequence number identifies the order of the bytes sent from each computer so that the data can be reconstructed in order, regardless of any packet reordering or packet loss that may occur during transmission.
- The sequence number of the first byte is chosen by the transmitter for the first packet, which is flagged SYN. This number can be arbitrary and should, in fact, be unpredictable to defend against TCP sequence prediction attacks.
- Acknowledgements (ACKs) are sent with a sequence number by the data receiver to tell the sender that data has been received to the specified byte.
- Reliability is achieved by the sender detecting lost data and retransmitting it. TCP uses two primary techniques to identify loss. Retransmission timeout (abbreviated as RTO) and duplicate cumulative acknowledgements (DupAcks).
- ACK number is the data byte number that the recipient will be expecting in the next packet
- The sequence number is incremented by the data size
3- END conversation :
- ACK-FIN reply by server
- ACK reply back from the host
4- MSS
- MSS should be set small enough to avoid IP fragmentation
5- TCP checksum
6- Window size:
7- Window scaling:
8- SACKs:
9- PSH (1 bit):
10- RST (1 bit):
Reset the connection
DHCP
- DISCOVERY
This is the first packet sent from the host is a broadcast packet
source= sender's MAC; destination=FF:FF:FF:FF:FF:FF
- OFFER
source= sender's MAC; destination=client mac address
The packet contains the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer, GATEWAY, DNS, TFTP ...
- REQUEST
source= sender's MAC; destination=FF:FF:FF:FF:FF:FF
A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer.
Based on the required server identification option in the request and broadcast messaging, servers are informed of whose offer the client has accepted.
- ACKNOWLEDGE
This packet includes the lease duration and any other configuration information that the client might have requested.
At this point, the IP configuration process is completed.
DNS
DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests. DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. When the length of the answer exceeds 512 bytes and both client and server support EDNS, larger UDP packets are used. Otherwise, the query is sent again using the Transmission Control Protocol (TCP). TCP is also used for tasks such as zone transfers. Some resolver implementations use TCP for all queries.
DNS query steps
Usually, The computer will first check the Operating System and its cache memory. If it doesn't find the IP address for the requested domain name, it will send a query to the next level to what is called the "Resolver Server" which is usually your ISP.
When the "Resolver" receives the query, it will check its own cache memory to find an IP address. If it can't find it, it will send the query to the next level, which is the Root Server.
When the "Root Server" receives the query for the requested domain name, it will not know what the IP Address is, but it knows where to send the resolver to help it find the IP address.
The "Root Server" will direct the "Resolver" to the TLD (Top Level Domain) Server for the ".com" domain. The resolver will now ask the TLD to provide the IP address for the requested domain name. In turn, the TLD server will not know the IP address for the Requested Website.
The TLD will direct the "Resolver" to the next and final level, which are the authoritative name servers. When the ANS receives the query from the resolver, the name server will respond with the IP address for the website.
Finally, the resolver will tell the computer the IP address for the server. Once the "Resolver" receives the IP address, it will store it in its cache memory in case it receives another query for the same website, so it doesn't have to go through all the steps over again.
Good Read
Good Read