Layers

OSI

Open Systems Interconnection Model Why? Useful for defining standards so computers from different manufacturers could “talk” to each other.

Protocols

TCP/IP

• Connection oriented, reliable
• Data order is important
• Duplicate data is discarded
• Minimal error
• Retry lost or discarded packets
• traffic congestion control

UDP

• Connectionless, unreliable
• Streaming content, VoIP, dropped packets are not a concern
• DNS lookups
• RTP built on top of UDP for real time streaming

PPTP

The Point-to-Point Tunneling Protocol (PPTP) is an obsolete method for implementing VPN. PPTP has many well known security issues.

PPTP uses a TCP/IP control channel and a GRE tunnel to encapsulate PPPpackets. Many modern VPNs use various forms of UDP for this same functionality. 

The PPTP specification does not describe encryption or authentication features and relies on the Point-to-Point Protocol being tunneled to implement any and all security functionalities.

IPSec

Internet Protocol Security (IPsec) is a secure network protocol that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in VPNs.

BGP

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. BGP is classified as a path-vector routing protocol and it makes routing decisions based on paths, network policies, or rule-sets configured.

BGP used for routing within an autonomous system is called Interior Border Gateway Protocol(IBGP). In contrast, the Internet application of the protocol is called Exterior Border Gateway Protocol (EBGP).

GRE

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network.

Uses -

• In conjunction with PPTP to create VPN (obsolete)
• In conjunction with IPSec VPN to allow passing of routing information between connected networks.

IP Addresses

Class Notation

CIDR

Classless Inter-Domain Routing

Private IPs

Prefixes - 8 -> 12 -> 16 Ranges - 10.0 -> 172.16 -> 192.168 CGNAT - 100.64.0.0/10

This is defined in [[RFC#1918]]

10.0.0.0/8

Prefix - 8, Divide it by 8, quotient 1, remainder 0. Subnet mask - 255.0.0.0 (First octet, all bits are ON, value 255) Usable IPs - 10.0.0.1 to 10.255.255.254 Network part - 10.x.x.x Host part - x.0.0.0

172.16.0.0/12

Prefix - 12, Divide it by 8, quotient 1, remainder 4. Subnet mask - 255.240.0.0 (First octet, all bits are ON, value 255. Second octet, 4 bits are ON, value, 128 + 64 + 32 + 16 = 240) Usable IPs - 172.16.0.1 to 172.31.255.254 ———————————-^^ How was this 31 calculated? ———————————- 255 - 240 (subnet mask, second octet) = 15 ———————————- 16 + 15 = 31 Network part - ? Host part - ?

• #ask What’s the network part, and host part in an IP like 172.16.0.0/12? ✅ 2023-12-07 It’s not really relevant for CIDR since it is classless

192.168.0.0/16

Prefix /16. Divide it by 8, quotient 1, remainder 2 Subnet mask - 255.255.0.0 (First 2 octets, are bits all ON, value 255 each) Usable IPs - 192.168.0.1 to 192.168.255.254 Network part - 192.168.x.x Host part - x.x.0.0

100.64.0.0/10

For use in carrier-grade NAT (CGNAT) environments

Prefix - 10, Divide it by 8, quotient 1, remainder 2. Subnet mask - 255.192.0.0 (First octet, all bits are ON, value 255. Second octet, 2 bits are ON, value, 128 + 64 = 192) Usable IPs - 100.64.0.1 to 100.127.255.254 ———————————-^^ How was this 127 calculated? ———————————- 255 - 192 (subnet mask, second octet) = 63 ———————————- 64 + 63 = 127 Network part - ? Host part - ?

• #ask What’s the network part, and host part in an IP like 100.64.0.0/10? ✅ 2023-12-07 It’s not really relevant for CIDR since it is classless

Subnet Mask

Convert 255 octet to binary using the following table

128 + 64 + 32 + 16 + 8 + 4 +2 + 1 = 255

Inspect IPs

10.1.0.0 subnet mask 255.255.240.0

Prefix

• Prefix can be calculated from the given subnet mask.
• First 2 octets are fully ON (refer the binary notation above), while the third is partially ON.
• Add the bit values, we discover 4 bits are ON (128 + 64 + 32 + 16 = 240).
• So, total ON bits in the subnet mask, 8 + 8 + 4 = 20.
• Prefix is /20

10.1.0.0 prefix /20

Subnet Mask

• Subnet mask can be calculated from the given prefix.
• If we divide 20 by 8, we get quotient 2, and remainder 4.
• So, the first 2 octets in the subnet mask are fully ON, where as the third octet has 4 bits ON.
• Now adding the 4 bits, 128 + 64 + 32 + 16 = 240.
• Subnet mask is 255.255.240.0

IP addresses

• First IP is the same as the IP provided 10.1.0.0, but what is the last IP?
• Based on the subnet mask 255.255.240.0, calculate the max value of the third octet.
• Subtracting the current value from the max value possible, we get 255 - 240 = 15.
• The last octet is host specific, so can take values from 0 to 255.
• So the last IP in the range is 10.1.15.255.

Routes

“networking law”

It seems unlikely to me that there’d ever be any packets with a destination address within 100.64.0.0/16 as all those entities are likely fully managed by other means that, for example, you wouldn’t be SSHing to a firewall to configure it. “Networking law” says 10/8, 172.16/12, 192.168/16 and 100/16 addressed packets should never appear on the public Internet, so this route ensures they don’t get sent in the 0/0 direction and go to where they really live. Pro network admins have tight routing and filtering so they never send private packets into public space, but messy leaks do happen.

Route Tables

DNS

Address book for the internet, maps friendly names to IPs. It is a not a centralized system. The knowledge is distributed across the internet.

Watch https://www.youtube.com/watch?v=e2xLV7pCOLI

An APEX domain can only have an A-Record.

Types of records

• A (A for Apex domain?)
• CNAME
• MX
• NS

[[route53|AWS Route53]] is an AWS managed DNS solution.

resolv.conf

ref man page search directive is added to a host before quering the nameserver, if there are more than one, they are tried in sequence.

#/etc/resolv.conf
search default.svc.cluster.local svc.cluster.local cluster.local

$ nslookup serviceA
# queried as
# serviceA.default.svc.cluster.local
# and so on

$ nslookup serviceA.com
# queried as
# serviceA.com since it contains a '.', it is queried as is
# serviceA.com.default.svc.cluster.local
# and so on

ndots directive specifies minimum number of dots a domain can have before the resolver queries for the absolute name. Default value is 1.

Firewall

[[network-firewall]]

Stateful or Stateless? IPS (Intrusion Prevention Service) DPI (Deep Packet Inspection) Application Protocol Detection Domain Name Filtering

VPN

GENEVE Header

https://datatracker.ietf.org/doc/html/rfc8926

#todo

ECMP

Equal cost multi path routing protocol

SD-WAN

Software-defined wide area network (SD-WAN)

It is a wide area network that uses software-defined networking technology, such as communicating over the Internet using overlay tunnels which are encrypted when destined for internal organization locations.

SD-WAN allows companies to build high-performance WANs using low-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive private WAN connection technologies such as MPLS.

However, when SD-WAN traffic is carried over the Internet, there are no end-to-end performance guarantees.

SD-WANs allow companies to extend their computer networks easily over large distances, connecting remote branch offices to data centers and to each other, for critical business functions using commercial internet. They alleviate the need to establish expensive, dedicated physical network infrastructure between sites.

References

• 1
• https://www.freecodecamp.org/news/subnet-cheat-sheet-24-subnet-mask-30-26-27-29-and-other-ip-address-cidr-network-references/