General
Contents
Design and Architecture
Protocols
Spanning tree
NAT
- NAT-T - [1]
Detect rogue router/NAT
- TTL - frames with different TTL values from one host
- Routing protocols updates - RIP/OSPF
- High port numbers
- Many opened connections/ports
- TCP header - different window sizes, MSS
- Different SYN packet size
- Disable ICMP, CDP, LLDP to router
- DF bit
- OS fingerprinting (TTL, DF, TCP Window, SYN size)
- HTTP cookie + HTTP (OS, version,....)
IPSec
TUNNEL vs TRANSPORT & AH vs ESP
Good explain of use Tunnel and Transport mode
https://tools.ietf.org/id/draft-ietf-ipsec-nat-reqts-00.txt
How the headers looks is obvious, also what kind of security they offer.
AH does not support NAT in neither transport nor tunnel, because IP is changed and ICV is computed from original IP header (Transport mode) and also new (Tunnel mode).
ESP supports NAT only in Tunnel mode, in Transport I am not sure why, probably hash is in Tunnel mode computed from inner IP, so in transport there is only one IP header, so if this changes by NAT and hash is computed from it, integrity check fails.
Transport mode is usually used when another tunnel is used e.g. GRE/L2TP, but NAT must not be used. Or it is also used inside intra network. Probably not true bcs using L2TP/IPSec uses ESP transport mode also with NAT/PAT, but NAT-T must be used
MAX MSS/MTU Tunnel Mode
TODO:
- ADD PICTURE, also for other modes [2]
- https://support.huawei.com/enterprise/de/doc/EDOC1100087997/169ee588/ipsec-nat-traversal
- https://docs.vmware.com/en/VMware-SD-WAN-by-VeloCloud/3.4/VMware-SD-WAN-by-VeloCloud-Administration-Guide/GUID-72AA55E3-C0F4-4E0A-BFBC-E4077E0F4D6E.html
Values in italics can be variable, according to Cipher and Hash. Probably using AES GCM would lead not using ICV field
ESP Overhead for AES-256(CBC) with SHA256:
- New IP Header 20B
- ESP SPI 4B
- ESP SEQ 4B
- ESP IV 16B - AES-128/192/256 has 128b data input 128/8 = 16
- ESP Padding 15B - AES-128/192/256 has 128b data input 128/8 = 16-1 = 15, worst case when 1B packet will be present
- Padding length 1B
- Next header 1B
- ICV 16B - half of hash-truncated, SHA256 - 128/8 = 16, exception with SHA 96/8 = 12
OVERHEAD 77B
Standard MTU (Ethernet) - 1500B
MSS = 1500 - 20(IP) - 20(TCP) - 77 = 1383B
With NAT-T, which shoul be used when NAT is present, so I think everytime, substitude 8B
MSS = 1375B (NAT-T)
MSS = 1367B (PPPoE) because not 1500B but 1492B
L2TP/IPSec
MAX MSS/MTU
TODO: ADD picture [3]
L2TP over IPsec has even more overhead calculation are based on IPSec from previous section.
MSS starts with 1383 + 20 = 1403 beacause it uses ESP transport mode, no new IP header is added in ESP, but it is added by L2TP, which will be added below.
ESP Overhead for AES-256(CBC) with SHA256:
- IP Header (New outer) 20B
- UDP Header (NAT-T) 8B
- UDP Header (L2TP) 8B
- L2TP Header 16B
- PPP Header 4B
OVERHEAD 56B
MSS = 1403-56 = 1347
MSS = 1339 (PPPoE)
MTU = 1339 + 40(IP+TCP) = 1379 (according to picture) applied on L2TP interface
Mikrotik L2TP/IPSEC - IPSec is used in trasnsport mode probably
MTU Discover
Option "-M do" means do not fragment, if is big, packet is not send and notification is displayed to terminal. Option "-s $((1406 - 28))" 1406 is real MTU, as ICMP + IP is automatically added.
ping -s $((1406 - 28)) -M do 192.168.253.30
Subnetting
Supernet calculator:
https://network00.com/NetworkTools/IPv4SupernetCalculator/
IP Calculator:
http://jodies.de/ipcalc?host=192.168.31.0&mask1=23&mask2=
IP addressing summary:
https://subnet-calculator.samuraj-cz.com
Firewall
ACK PSH to router IP
Sometimes in FW rules can be seen drop out of PPPoe with private IP address as a destination. Probably it is connected with timeout-ed connection and Google servers tries to reach client. In MikroTik traffic is going from PPPoE to PPPoE interface with destination private IP Google IP sends a TCP (ACK, PSH) to my router. Known why?
Performance
- iperf - reverse mode means send from server to client. Sometimes window mus be enlarged and sometime in linux one property must be set on interface to allow full speed. Default port is 5201, check firewall and also local device firewall, antimalware software can block it too. Multiple streams can boost speed.
iperf3 -s iperf3 -c 192.168.1.1 -R -P 4
- SMB
- FTP
- WGET - is sometimes better and more reflect real speeds. To outcome bottleneck, do not use HDD, used random generated file read from SSD (/dev/urandom >> /tmp/file) used apache/nginx and write it to /dev/null then real speeds will be captured.
Bottlenecks:
- CPU
- Network interface
- Network transit device e.g. firewall
- QoS
- HDD