Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Difference between revisions of "Infrastructure:Network Architecture"

imported>Pew
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
TODO: change name to "Network Architecture" and change content to more generally describe how the univerersity network works, with specifics about VTLUUG's setup. Direct to [[Infrastructure:Network]] with talkinga about specific IPs and mention that link a lot throughout the page when we fix the wiki so this isn't confused [[Infrastructure:Network]] and move Historic section to [[Category:Deprecated]] and leave a link here
+
== General Information ==
 +
=== IPv4 ===
 +
Most Internet-connected computers communicate using Internet Protocol version 4, usually abbreviated IPv4. IPv4 assigns an address to each computer. These addresses are 32 bits long, and can be written as a period-separated list of four numbers from zero to 255. One example would be 192.168.1.1, an address commonly given to home networking equipment. The 32-bit address space of IPv4 allows for about four billion addresses. Given that there are over six billion people on the planet, it's clear that these addresses will eventually run out. It turns out that due to the way these addresses are allocated in blocks, we actually already have run out.
  
This is an attempt to document VTLUUG's overly complex networking setup. Apologies for the disorganization,
+
=== IPv6 ===
this is mainly just a way to get everything in one place. --[[User:Mjh|Mjh]] ([[User talk:Mjh|talk]]) 21:43, 28 December 2014 (EST
+
Enter IP version 6, or IPv6. IPv6 uses 128 bits for each address, but is not yet very widely used. Virginia Tech, being the cutting edge institution it is, already supports IPv6 campus-wide. While this does not directly affect your computing experience, connecting your computer to a native IPv6 networks has a few implications you should be aware of.
  
Note: This is extraordinarily dated. Revisions are in progress, but currently, do not consider it to be
+
=== Stateless Autoconfiguration and Privacy Extensions ===
remotely correct. --[[User:echarlie|echarlie]]
 
  
== Current ==
+
In IPv4, a computer would need to be told its address either manually or by using a network service called DHCP. In DHCP, the computer asks a server to assign it an IP address that is not in use by anyone else.
We currently have a ~1Gbit NI&S port in the ECE server attic
 
  
=== Hardware: ===
+
In IPv6, the address space is so large that a mechanism called "stateless autoconfiguration" can be used. In stateless autoconfiguration, a computer asks a nearby router for the network prefix (the first few digits of the IP address that will be the same for all computers on the network), and then the computer fills in the rest of the bits by using the hardware address of the network adapter. This means that by default, your IP address could be used to uniquely identify your computer anywhere on the Internet, threatening your privacy online.
* "luug5" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu 14.04 router
 
* cyberdelia
 
  
Cyb has a private network for NFS on 10.99.0.0/24, and temp88191 does NDP proxying, static ARP using jkh's Nat script (see github), and hands out dhcp leases somewhere in 10.0.0.0/8
+
== Current ==
 
+
See [[Infrastructure:Network]]
We have no other hardware in use
 
 
 
== DNS ==
 
''See also: [[Infrastructure:Network#DNS]]
 
=== www. Required for Subdomains ===
 
Requiring <code>www.</code> in front of many subdomains is a known but ignored issue. Apparently, nobody at CNS has bothered to fix it. Rumor has it that the utility of their 25-year-old maintenance scripts is to blame for this issue and other DNS complications like difficulty maintaining MX records. Resolving this issue must be done individually at each department by addressing the problem to the relevant [http://groupw.cns.vt.edu/~benchoff/cgi-bin/ipr-dump-wrapper.cgi?style=wwr network liasion].
 
 
 
[http://no-www.org/ www. is deprecated.]
 
 
 
== Historic ==
 
=== ECE Server Closet ===
 
==== Limitations ====
 
We are behind the ECE Whittemore NAT, which is on a single 100 Mbps CNS port. We have the following limitations:
 
* All adjustments to ECE DNS must be made through [mailto:rbrand7@vt.edu Brandon Russell]
 
* IP addresses are difficult to claim, because they must be forwarded through the NAT
 
* IPv6 is not supported behind the Whittemore NAT
 
 
 
Consequently, We must:
 
* Use an IPv6 tunnel if we want access to IPv6 addresses
 
* Keep all internal services (like NFS) on an internal network
 
<!--* Only one MAC address may appear on the port at a time (port security)
 
* There is no prefix delegation for IPv6, so each address must be individually requested via NDP.
 
 
 
This means we must:
 
* Use ARP proxying or 1-to-1 NAT for IPv4
 
* Use an NDP proxy for IPv6-->
 
 
 
==== Desired Setup ====
 
This is what I'm hoping to migrate us to:
 
* OpenWrt ([https://github.com/sbyx/odhcpd odhcpd] has built-in NDP proxying) or pfSense Router
 
** Partial: pfSense provides NATing on [[Infrastructure:Cyberdelia|cyberdelia]]
 
* An internal network smaller than a /8 (room for expansion)
 
** Done: 10.99.0.0/16
 
* IPsec (point-to-point and road warrior for users)
 
** Can be done through openWRT or pfSense
 
* Each VM host has a bridged ethernet port with a global IPv4 address and performs NAT to its VMs. Additional IPv4s are assigned as VMs as needed (e.g. milton and acidburn probably need their own)
 
** Done on [[Infrastructure:Cyberdelia|cyberdelia]]
 
* All internal IPv4 addresses are static leases assigned by [[Infrastructure:temp88191|the router]] or set statically '''and documented somewhere'''; hypervisors do not have their own networks unnecessarily like wood currently does.
 
** Internal network on [[Infrastructure:Cyberdelia|cyberdelia]] has static IPs or long-term leases.
 
** Cyberdelia still has too many internal networks, most of which are unnecessary.
 
* Each device has a global IPv6 address
 
** Currently provided through tunnel
 
 
 
 
 
=== CVL setup (deprecated) ===
 
 
 
Hardware:
 
* "luugtemp" or "temp88191": a Poweredge 2650 with 2 NICs configured as an Ubuntu router
 
* 8-port Gigabit unmanaged switch
 
* 48-port 100 Mbps managed switch (attached to sunway)
 
 
 
Port security evasion:
 
* A bash script named "Nat" which presumably does 1-to-1 NAT
 
* NDP proxying via https://npd6.github.io/npd6/
 
** This is broken an misconfigured. It doesn't properly add routes.
 
 
 
IPs / networks:
 
* temp88191 is 10.0.0.1/8 and 128.173.88.191. It provides DHCP on our internal interface
 
* Sunway has static IPs setup (10.0.97.10 to 10.0.97.28)
 
* Rackable servers: joey (10.0.4.10) and phantomphreak (10.0.4.11)
 
* cyberdelia's IPv4 is luug0.ece.vt.edu
 
** Port 9001 <-> 10.0.1.3 (cerealkiller)
 
** Port 9030 <-> 10.0.1.3 (cerealkiller)
 
* wood's IPv4 is luug1.ece.vt.edu
 
* milton's IPv4 is luug2.ece.vt.edu
 
* luug3.ece.vt.edu is (in theory) used by westinghouse (sunway's head node)
 
* acidburn's IPv4 is luug.ece.vt.edu
 
* acidburn has iodine configured as a DNS tunnel (10.152.78.1/27)
 
* Other tenants of our router: mjh.ece.vt.edu and mirror.ece.vt.edu
 
* 10.99.0.2/24 appears to be statically assigned to wood's guests.
 
  
Cyberdelia VMs - assigned 10.0.1.1/24 (not actually a separate subnet):
+
== See Also ==
* dhcp-host=52:54:00:14:df:c2,10.0.1.1 # "mail" (not yet configured)
+
* [[Infrastructure:Network#DNS|DNS]]
* dhcp-host=52:54:00:68:81:33,10.0.1.2 # crashoverride 2.0
+
* [[Deprecated Network]]
* dhcp-host=52:54:00:40:9a:55,10.0.1.3 # Cerealkiller 2.0
 
  
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]
[[Category:Needs restoration]]
 

Latest revision as of 19:37, 27 January 2019

Contents

General Information

IPv4

Most Internet-connected computers communicate using Internet Protocol version 4, usually abbreviated IPv4. IPv4 assigns an address to each computer. These addresses are 32 bits long, and can be written as a period-separated list of four numbers from zero to 255. One example would be 192.168.1.1, an address commonly given to home networking equipment. The 32-bit address space of IPv4 allows for about four billion addresses. Given that there are over six billion people on the planet, it's clear that these addresses will eventually run out. It turns out that due to the way these addresses are allocated in blocks, we actually already have run out.

IPv6

Enter IP version 6, or IPv6. IPv6 uses 128 bits for each address, but is not yet very widely used. Virginia Tech, being the cutting edge institution it is, already supports IPv6 campus-wide. While this does not directly affect your computing experience, connecting your computer to a native IPv6 networks has a few implications you should be aware of.

Stateless Autoconfiguration and Privacy Extensions

In IPv4, a computer would need to be told its address either manually or by using a network service called DHCP. In DHCP, the computer asks a server to assign it an IP address that is not in use by anyone else.

In IPv6, the address space is so large that a mechanism called "stateless autoconfiguration" can be used. In stateless autoconfiguration, a computer asks a nearby router for the network prefix (the first few digits of the IP address that will be the same for all computers on the network), and then the computer fills in the rest of the bits by using the hardware address of the network adapter. This means that by default, your IP address could be used to uniquely identify your computer anywhere on the Internet, threatening your privacy online.

Current

See Also