 © Rakhesh Sasidharan
|
Posted: April 15th, 2017 | Tags: dfw, firewall, nsx, troubleshooting | Category: Networks, Virtualization | § I have two security groups. Network 1 VMs (a group that contains my VMs in the 192.168.1.0/24) and Network 2 VMs (similar, for 192.168.2.0/24 network).
 
Both are dynamic groups. I select members based on whether the VM name contains -n1 or -n2. (The whole exercise is just for fun/ getting to know this stuff).
I have two firewall rules making use of these rules. Layer 2 and Layer 3.
 
The Layer 2 rule works but the Layer 3 one does not! Weird.
I decided to troubleshoot this via the command line. Figured it would be a good opportunity.
To troubleshoot I have to check the rules on the hosts (because remember, that’s where the firewall is; it’s a kernel module in each host). For that I need to get the host-id. For which I need to get the cluster-id. Sadly there’s no command to list all hosts (or at least I don’t know of any).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# get a list of clusters nsxmgr63-01> show dfw cluster all No. Cluster Name Cluster Id Datacenter Name Firewall Status 1 Cluster One domain-c15 DC01 Enabled 2 Cluster Two domain-c17 DC01 Enabled 3 Mgt Cluster domain-c7 DC01 Enabled # check each cluster to get the host-ids nsxmgr63-01> show cluster domain-c15 Datacenter: DC01 Cluster: Cluster One No. Host Name Host Id Installation Status 1 esx65-11.my.domain host-19 Enabled nsxmgr63-01> show cluster domain-c17 Datacenter: DC01 Cluster: Cluster Two No. Host Name Host Id Installation Status 1 esx65-21.my.domain host-21 Enabled |
So now I have my host-ids.
Let’s also take a look the my VMs (thankfully it’s a short list! I wonder how admins do this in real life):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
nsxmgr63-01> show vm vm-40 Datacenter: DC01 Cluster: Cluster One Host: esx65-11.my.domain Host-ID: host-19 VM: obsd-n2h11_1 Virtual Nics List: 1. Vnic Name obsd-n2h11_1 - Network adapter 1 Vnic Id 50364847-a9d1-3326-a41a-5c62706edc9e.000 Filters nic-110513-eth0-vmware-sfw.2 <---- (host-19) nsxmgr63-01> show vm vm-35 Datacenter: DC01 Cluster: Cluster One Host: esx65-11.my.domain Host-ID: host-19 VM: obsd-n1h11_1 Virtual Nics List: 1. Vnic Name obsd-n1h11_1 - Network adapter 1 Vnic Id 50369375-2fc4-1f85-b85e-f15613751fbf.000 Filters nic-111445-eth0-vmware-sfw.2 <---- (host-19) nsxmgr63-01> show vm vm-64 Datacenter: DC01 Cluster: Cluster Two Host: esx65-21.my.domain Host-ID: host-21 VM: obsd-n3h21_1 Virtual Nics List: 1. Vnic Name obsd-n3h21_1 - Network adapter 1 Vnic Id 503698c0-363b-2c5d-2c73-6182766cd6f1.000 Filters nic-464408-eth0-vmware-sfw.2 <---- (host-21) nsxmgr63-01> show vm vm-39 Datacenter: DC01 Cluster: Cluster Two Host: esx65-21.my.domain Host-ID: host-21 VM: obsd-n1h21_1 Virtual Nics List: 1. Vnic Name obsd-n1h21_1 - Network adapter 1 Vnic Id 50365bd9-f536-095e-eeef-d9f6d81f733b.000 Filters nic-464142-eth0-vmware-sfw.2 <---- (host-21) |
We can see the filters applying to each VM. To summarize:
|
|
nic-110513-eth0-vmware-sfw.2 | obsd-n2h11_1 | host-19 (esx65-11) nic-111445-eth0-vmware-sfw.2 | obsd-n1h11_1 | host-19 (esx65-11) nic-464408-eth0-vmware-sfw.2 | obsd-n1h11_1 | host-21 (esx65-21) nic-464142-eth0-vmware-sfw.2 | obsd-n3h21_1 | host-21 (esx65-21) |
And are these filters applying on the hosts themselves?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 |
# checking host-19 nsxmgr63-01> show dfw host host-19 summarize-dvfilter <snip> Filters: world 0 <no world> port 50331650 vmk0 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid port 50331663 vmk1 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid world 110513 vmm0:obsd-21 vcUuid:'50 36 48 47 a9 d1 33 26-a4 1a 5c 62 70 6e dc 9e' port 50331666 obsd-21.eth0 vNic slot 2 name: nic-110513-eth0-vmware-sfw.2 <----- applied! agentName: vmware-sfw state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation vNic slot 1 name: nic-110513-eth0-dvfilter-generic-vmware-swsec.1 agentName: dvfilter-generic-vmware-swsec state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Alternate Opaque Channel world 111445 vmm0:obsd-11 vcUuid:'50 36 93 75 2f c4 1f 85-b8 5e f1 56 13 75 1f bf' port 50331668 obsd-11.eth0 vNic slot 2 name: nic-111445-eth0-vmware-sfw.2 <----- applied! agentName: vmware-sfw state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation vNic slot 1 name: nic-111445-eth0-dvfilter-generic-vmware-swsec.1 agentName: dvfilter-generic-vmware-swsec state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Alternate Opaque Channel # checking host-21 nsxmgr63-01> show dfw host host-21 summarize-dvfilter <snip> Filters: world 0 <no world> port 50331650 vmk0 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid port 50331654 vmk1 vNic slot 0 name: nic-0-eth4294967295-ESXi-Firewall.0 agentName: ESXi-Firewall state: IOChain Attached vmState: Detached failurePolicy: failOpen slowPathID: none filter source: Invalid world 464142 vmm0:obsd-n1h21_1 vcUuid:'50 36 5b d9 f5 36 09 5e-ee ef d9 f6 d8 1f 73 3b' port 50331656 obsd-n1h21_1.eth0 vNic slot 2 name: nic-464142-eth0-vmware-sfw.2 <----- applied! agentName: vmware-sfw state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation vNic slot 1 name: nic-464142-eth0-dvfilter-generic-vmware-swsec.1 agentName: dvfilter-generic-vmware-swsec state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Alternate Opaque Channel world 464408 vmm0:obsd-n3h21_1 vcUuid:'50 36 98 c0 36 3b 2c 5d-2c 73 61 82 76 6c d6 f1' port 50331657 obsd-n3h21_1.eth0 vNic slot 2 name: nic-464408-eth0-vmware-sfw.2 <----- applied! agentName: vmware-sfw state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Dynamic Filter Creation vNic slot 1 name: nic-464408-eth0-dvfilter-generic-vmware-swsec.1 agentName: dvfilter-generic-vmware-swsec state: IOChain Attached vmState: Detached failurePolicy: failClosed slowPathID: none filter source: Alternate Opaque Channel |
Hmm, that too looks fine.
Next I picked up one of the rule sets and explored it further:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
nsxmgr63-01> show dfw host host-19 filter nic-111445-eth0-vmware-sfw.2 rules ruleset domain-c15 { # Filter rules rule 1003 at 1 inout protocol ipv6-icmp icmptype 135 from any to any accept; rule 1003 at 2 inout protocol ipv6-icmp icmptype 136 from any to any accept; rule 1002 at 3 inout protocol udp from any to any port 68 accept; rule 1002 at 4 inout protocol udp from any to any port 67 accept; rule 1010 at 5 inout protocol any from addrset src1010 to addrset src1010 drop; <------ L3 rule 1001 at 6 inout protocol any from any to any accept; } ruleset domain-c15_L2 { # Filter rules rule 1009 at 1 inout ethertype any from addrset src1009 to addrset src1009 drop; <------ L2 # internal # rule 1009 at 2 in ethertype any from addrset src1009 to addrset src1009 drop; rule 1004 at 3 inout ethertype any from any to any accept; } |
The Layer 3 & Layer 2 rules are in separate rule sets. I have marked the ones which I am interested in. One works, the other doesn’t. So I checked the address sets used by both:
|
|
nsxmgr63-01> show dfw host host-19 filter nic-111445-eth0-vmware-sfw.2 addrsets addrset src1009 { mac 00:50:56:b6:25:a4, mac 00:50:56:b6:2a:e2, mac 00:50:56:b6:ad:b3, mac 00:50:56:b6:f2:9a, } addrset src1010 { } |
Tada! And there we have the problem. The address set for the Layer 3 rule is empty.
I checked this for the other rules too – same situation. I modified my Layer 3 rule to specifically target the subnets:
And the address set for that rule is not empty:
|
|
nsxmgr63-01> show dfw host host-19 filter nic-111445-eth0-vmware-sfw.2 addrsets addrset rdst1012 { ip 192.168.1.0/24, ip 192.168.2.0/24, } addrset rsrc1012 { ip 192.168.1.0/24, ip 192.168.2.0/24, } <snip> |
And because of this the firewall rules do work as expected. Hmm.
I modified this rule to be a group with my OpenBSD VMs from each network explicitly added to it (i.e. not dynamic membership in case that was causing an issue). But nope, same result – empty address set!
But the address set is now empty. :o)
|
|
nsxmgr63-01> show dfw host host-19 filter nic-111445-eth0-vmware-sfw.2 addrsets <snip> addrset src1012 { } |
So now I have an idea of the problem. I am not too surprised by this because I vaguely remember reading something about VMware Tools and IP detection inside a VM (i.e. NSX makes use of VMware Tools to know the IP address of a VM) and also because I am aware OpenBSD does not use the official VMware Tools package (it has its own and that only provides a subset of functions).
Googling a bit on this topic I came across the IP address Discovery section in the NSX Admin guide – prior to NSX 6.2 if VMware Tools wasn’t installed (or was stopped) NSX won’t be able to detect the IP address of the VM. Post NSX 6.2 it can do DHCP & ARP snooping to work around a missing/ stopped VMware Tools. We configure the latter in the host installation page:
I am going to go ahead and enable both on all my clusters.
That helped. But it needs time. Initially the address set was empty. I started pings from one VM to another and the source VM IP was discovered and put in the address set; but since the destination VM wasn’t in the list traffic was still being allowed. I stopped pings, started pings, waited a while … tried again … and by then the second VM IP to was discovered and put in the address set – effectively blocking communication between them.
|
|
addrset src1012 { ip 192.168.1.1, ip 192.168.2.1, } |
Side by side I installed a Windows 8.1 VM with VMware Tools etc and tested to see if it was being automatically picked up (I did this before enabling the snooping above). It was. In fact its IPv6 address too was discovered via VMware Tools and added to the list:
|
|
addrset src1010 { ip 192.168.1.1, ip 192.168.1.2, ip 192.168.1.11, <--- Windows 8.1 + VMware Tools ip 192.168.2.1, ip fe80::2570:6577:3d58:f198, <--- Windows 8.1 + VMware Tools } |
Nice! Picked up something interesting today.
Posted: April 18th, 2016 | Tags: firewall, wmi | Category: Windows | § Trying to set up monitoring for some of our Windows DMZ servers via SolarWinds and came across a few interesting links. At the same time I noticed that my carefully organized bookmarks folders seem to be corrupt. Many folders are empty. This happened a few days ago too, but that time it was just one folder (well one folder that I knew of, could be more who knows) and so I was able to view and older copy of my bookmarks via Xmarks and add the missing entries back.
But this time it’s a whole bunch of folders and the only option Xmarks has it to either export the older copy or overwrite your current copy with this older set. I don’t want the latter as that would mean losing all my newer bookmarks. Wish there was some way of merging the current and older copies! Anyhow, what’s happened is happened, I think I’ll stick to using this blog for bookmarks. I keep referring to this blog over my bookmarks anyway, so this is a sign to stop with the unnecessary filing.
To start off, this is a must read on WMI ports and how to allow firewall exceptions for WMI. Gist of the matter is that WMI uses dynamic ports via the RPC Portmapper. When the Solarwinds server (for example) wants to talk to WMI on a target server, it contacts the RPC Portmapper service on the target server on port 135 (which is the standard port for the Portmapper service) and gets a dynamic port to use for WMI. This port can be anywhere between 1024 – 65535.
The fix for this is to give the Portmapper service a specific set of ports to use. One method is to use the registry (see the previous link or this KB article). Add a key called Internet under HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc. To this add values Ports (MULTI_SZ), PortsInternetAvailable (REG_SZ), and UseInternetPorts (REG_SZ). Set a value of Y for the latter two, and a range like 5000-5100 to the former. Restart the server after this.
Although I haven’t tried it, I think a similar effect as the above can be achieved via Component Services (type dcomcnfg.exe in a command prompt). Expand the “Computers” folder here, right click on “My Computer”, go to “Default Protocols”, click “Properties” of “Conenction-oriented TCP/IP”, and add a port range.
Another method is to use Group Policies.
Yet another method seems to be to get WMI to not use the RPC Portmapper for dynamic ports. By default WMI runs as a shared service, which is why it uses the RPC Portmapper. It is possible to make it run as a standalone service so it doesn’t use the Portmapper and instead defaults to port 24158. (This port number too can be changed via dcomcnfg.exe but I am not sure how).
These two links didn’t make much sense to me, but I know they are of use so linking them here as a reference to myself for later:
Posted: April 24th, 2014 | Tags: firewall, ipv6, nat, teredo | Category: Networks | § Before going more into Teredo it’s worth talking about the types of NAT.
Types of NAT
When an internal device sends a packet to an Internet device, the source address and port (i.e. the private IPv4 address and port number of the internal device) are translated by the NAT. The outgoing packet from the NAT device will have the source IPv4 address set as the public IPv4 address of the NAT box and a newly assigned port on the NAT box as the source port address of the packet. And a mapping for this will be stored on the NAT box (internal IPv4 address, port number <-> Public IPv4 address, port number).
What happens next is what defines the various types of NAT:
Cone NAT
In a cone NAT, once a mapping is thus stored, packets from any external device to the public IPv4 address and port number of the mapping will be forwarded to the internal IPv4 address and port number. The key word here is any. So my machine behind the NAT can send a packet to (say) Google.com from port 1234 of my machine -> this will create a mapping on the NAT box from my internal IPv4 address and port 1234 to the public IPv4 address and (say) port 5467. Now a totally different server (say) Yahoo.com can send a packet to port 5678 of the public IPv4 address and it will be forwarded to my machine’s port 1234.
Essentially my internal machine has a port mapped on the NAT now which is always forwarded to my machine. Of course, the mapping could go after a while of disuse and then I’ll get a new external port number and mapping, but suppose I kept sending traffic to keep the mapping alive the port is forever forwarded to me.
You can imagine this looks like a cone. The tip of the cone is the public IPv4 address and port. The base – the open end – is everything in the external world. Everything in the external world can contact me on that port. It’s like a cone, hence the name.
Restricted NAT
In a restricted NAT, once a mapping is stored, only packets from the particular external device which the packets were originally sent to can connect to the mapping and be forwarded. That is, in the example above once there’s a mapping for my internal IPv4 address and port 1234 to the external public IPv4 and port 5467 for Google.com, only Google.com can send a packet to the external IPv4 address and port 5678 and it will be forwarded to my machine, if Yahoo.com sends a packet to the same IPv4 address and port it will be discarded.
There is a stricter form of restricted NAT where even the port number of the sender is checked. That is, if initial packet was to pot 9999 of Google.com, only packets from port 9999 of Google.com are allowed to enter via that mapping. Packets from port 9998 of Google.com will be silently discarded!
Symmetric NAT
Symmetric NAT takes things one step further!
In the two NAT types above the mapping is stored for all traffic from the internal device and internal IP. That is if I send packets from port 1234 and my internal IPv4, a mapping is created to port 5678 on the NAT box and that is used for all traffic from port 1234 of my internal machine. So – I contact Google.com from internal port 1234, the same mapping is used. I contact Yahoo.com from the same internal port, the same mapping is used. I contact Bing.com from the same internal port, the same mapping is used! The only difference between the two types above was to do with the incoming packets – whether they were from an IPv4 address (and port, in the stricter version) that was previously contacted. But the mapping was always the same for all traffic.
However, in Symmetric mapping a new mapping is created for each destination. So if I contact Google.com from port 1234 of my internal machine, it could be mapped to port 5678 of the NAT box and a mapping created for that. Next, if I contact Yahoo.com from port 1234 of the internal machine (same internal port as before), it could be mapped to port 5889 of the NAT box and a new mapping created for that. And later if I contact Bing.com from again the same port 1234 of the internal machine, yet another mapping will be created on the NAT box, say to port 6798. And worse, each of these mappings behaves like a Restricted NAT mapping – i.e. only the IP address to which the packets were initially sent when creating that mapping can use the mapping to send back packets.
You can see why this is called Symmetric NAT. It’s because each traffic from the internal side has its own mapping on the external side. There is a one-to-one mapping from the internal port & IPv4 address to the external port for each traffic.
Why do the types matter?
It’s important to know what type of NAT a particular is in when using Teredo. Because remember my quick overview of Teredo – at step 2 the host behind the NAT asks the server for an IPv6 address and it gets it. What this also does is that a mapping is created on the NAT box for the host’s internal IPv4 address and port number to the NAT box’s public IPv4 address and external port. Now …
If the NAT were Cone, then at step 8 a Teredo relay can forward IPv6 over IPv4 packets to the internal host by sending to the external port and NAT public IPv4 address.
But if the NAT were Restricted, then step 8 would fail as the internal host hasn’t contacted the relay yet and so there’s no mapping for the relay’s IPv4 address and/ port port (it could be that the internal host has contacted the relay to send some packets and this is a response from the relay, in which case it will be let through, but it could also be a fresh connection from the relay forwarding packets from an IPv6 host that are not in response to anything from the internal host – these will be discarded). So in the case of a restricted NAT Teredo has some additional stuff to do first – namely create a mapping in the NAT table for the Teredo relay’s IPv4 address.
First the Teredo relay checks if the IPv4 address and port of the Teredo client – which it extracts from the Teredo IPv6 address of the client – are known to it. If it is known (as in the relay and client have communicated recently) it means a mapping exists and the relay can send the packet to the client.
If a mapping does not exist the Teredo relay takes help of the Teredo server to punch a hole in the NAT. This is akin to the Romeo & Juliet example I described yesterday. The relay needs to contact the client but the client’s NAT box will discard any packets that are not in response to something that the client has sent out, so the relay needs a third party server “friend” to help out. Here’s what happens:
- The Teredo relay queues the incoming packet.
- From the Teredo IPv6 address of the client it extracts the IPv4 address of the Teredo server.
- The relay then creates a “bubble packet” with the source address as the relay’s IPv6 address, destination as the client’s Teredo IPv6 address, and sends it to the Teredo server’s IPv4 address. A bubble packet is essentially an empty IPv6 packet. Since it is sent to the IPv4 address of the Teredo server, it will be encapsulated in an IPv4 packet.
- The Teredo server extracts the IPv6 bubble packet. From the bubble packet’s destination IPv6 address the Teredo server notes that it itself if the Teredo server for that client. This tells the server that its help is required for hole punching. It notes the IPv4 address of the relay from the source address of the packet (this is used in step 7).
- The Teredo server extracts the NAT IPv4 address and port from the host portion of the client’s Teredo address. It puts the bubble packet within a UDP message and sends it over IPv4 to the IPv4 address and port of the NAT box. The NAT box forwards this packet to the internal host (the Teredo client) as a mapping already exists for the Teredo server IPv4 address.
- The UDP packet has to contain the Teredo server IPv4 address and port as the source address and port. It has to else the packet won’t pass through NAT. But the client also needs to know the IPv4 address of the Teredo relay. So the Teredo server sets an “Origin Indication” within this UDP packet that specifies the IPv4 address of the Teredo relay.
- The Teredo client receives the bubble packet in UDP. From the “Origin Indication” it knows the IPv4 address of the Teredo relay. From the bubble packet it knows the IPv6 address of the Teredo relay. And since it doesn’t know the Teredo relay’s IPv4 address and this packet came from its Teredo server – indicating that the client has to do it’s part of the hole punching – the client will now create a new IPv6 bubble packet, setting its Teredo IPv6 address as the source and the Teredo relay’s IPv6 address as the destination, put this within a UDP message, set the IPv4 address of the Teredo relay as the destination, and send it out.
- The packet passes through NAT and reaches the Teredo relay. Since this is a response to the bubble it previously sent, the Teredo relay knows the mapping is ready. Now the Teredo relay sends the previously queued incoming packet to the Teredo client and it gets through …!
Phew! Now we know why Teredo is a tunnel of last resort. There’s so much behind the scenes stuff that has to happen to keep it working. And that’s not to mention additional stuff like regular bubble packets from the Teredo client to server to keep the NAT mapping alive, checks to ensure there’s no spoofing done, and many more. Added to that, for security reasons an update to the Teredo RFC (Teredo RFC is RFC 4380, update is RFC 5991) specifies that Teredo should always assume it’s behind a Restricted NAT and so the above steps must always be done, even for clients behind Core NATs.
Back to NATs – if the NAT were Symmetric, Teredo does not work at all unless you make some changes on the NAT to exempt the Teredo clients. (Teredo in Windows Vista and above can work between Teredo clients if only one Teredo client is behind a Symmetric NAT and the other is behind a Cone/ Restricted NAT).
Identifying the type of NAT
Here’s how a Teredo client identifies the type of NAT it is behind.
Two things are in play here:
- The Teredo client IPv6 address has a flag that specifies whether it is behind a cone NAT or not. This flag is in the host bits of the address – remember I had previously mentioned the host bit has some flags, random bits, and the NAT IPv4 address and port number? One of these flags specifies whether the client is behind a cone NAT or not.
- The Teredo server has two public IPv4 addresses. The Teredo RFC does not expect these to be consecutive IPv4 addresses, but Windows Teredo clients expect these to be.
When the Teredo client contacts the Teredo server initially for an IPv6 address, it sends a Router Solicitation message as all IPv6 clients do (the difference being this is a unicast message, sent within a UDP message over IPv4 to a specific Teredo server address). The Router Solicitation message requires a link-local address – all Router Solicitation messages do – so the Teredo Client generates one, following the same format as a regular Teredo IPv6 address. The network prefix of this link-local address is set to fe80::/64, with the host bits having flags and random bits as usual but with the embedded IPv4 address being the private IPv4 address and port of the internal host rather than the public IPv4 address and port of the NAT box (because the Teredo client doesn’t know what this is).
This link-local address sets the cone flag is 1 – meaning the client believes it is behind a cone NAT.
When the Teredo server receives this it sends a Router Advertisement message as usual (as a UDP message within IPv4 unlike usual). The server does a trick here though. Instead of responding from the public IPv4 address on which it received the UDP message from the client, it responds from the second public IPv4 address. If this reply from a different IPv4 address gets through the NAT, then the client knows it is indeed behind a cone NAT. But if no replies come through (after an appropriate time-out (default: 4s) and number of retries (3 times)), the client realizes it may not be behind a cone NAT and so it sends a new Router Solicitation message to the Teredo server only this time it sets the cone flag to 0 (i.e. not behind a cone NAT).
Again the Teredo server receives the message and sends a Router Advertisement message, but now since the cone flag is 0 it sends the reply from the same IPv4 address as it received the message on. This will get through, confirming to the client that it is behind a non-cone NAT. (Note: If this reply too does not get through, after an appropriate time-out and number of retries the client realizes that UDP messages are blocked/ not getting through NAT/ firewall and so it sets the Teredo interface as disconnected/ off-line. Teredo cannot be used in this situation).
Next the client needs to know if it is behind a symmetric NAT. It now contacts the Teredo server on the second IPv4 address with a Router Solicitation message, setting the cone flag to 0 so the server uses the same IPv4 address when replying, and when it gets a reply from the Teredo server it compares the NAT port in the reply with the NAT port in the previous reply. If the ports are same the client determines that it is behind a restricted NAT; if the ports are different the client determines it is behind a symmetric NAT and that Teredo might not work.
(Note: I oversimplified a bit above to keep things easy. When the Teredo server sends a Router Advertisement, this includes the network prefix only. The host bits are set by the Teredo client once it identifies the type of NAT it is behind. The host bits require knowledge of the NAT IPv4 address and port, but how does the Teredo client know these? It knows these because the Router Advertisements from the Teredo server contains an “Origin Indication” field specifying the public IPv4 address and port. This is how the client gets the port number used for both Router Advertisements and determines if it is behind a symmetric NAT or not. Once that determination is done, the client has all the info required to self-assign a Teredo IPv6 address).
Posted: April 24th, 2014 | Tags: firewall, ipv6, nat, teredo | Category: Networks | § Previously I had talked about ISATAP. Today I want to blog about Teredo.
Teredo is another IPv6 transition mechanism. It is meant to be used as a transition strategy of last resort – i.e. only if other mechanisms such as ISATAP and 6to4 (which I haven’t blogged about yet) fail. This is because Teredo needs support from other servers on the Internet to do its work; and also because Teredo doesn’t encapsulate IPv6 packets within IPv4 directly, rather it puts them within UDP packets that are then carried by IPv4 packets. The latter means there’s extra overhead for using Teredo but it has the advantage that Teredo can work through NAT (with the exception of one type of NAT called Symmetric NAT) and so is more likely to work than ISATAP or 6to4.
Unlike ISATAP Teredo is meant for use over the Internet. And unlike 6to4 Teredo does not require a public IPv4 address. Teredo can work over the Internet from hosts with a private IPv4 address behind a NAT.
Before I go into the details of Teredo here’s a quick overview:
- If you have a host with private IPv4 address, you need some way of assigning it a global IPv6 address. But how do you do that? 6to4 takes the approach of creating an IPv6 address from the IPv4 address and that works because it requires public IPv4 addresses – which are unique in the first place, resulting in a unique IPv6 address. Teredo doesn’t have that luxury so it needs an IPv6 address generated through some other means.
- Here’s what Teredo does. It asks a server on the Internet (called a Teredo Server) for an IPv6 address. The server assigns it an IPv6 whose network prefix has first 32 bits as 2001:0000 and next 32 bits as the IPv4 address of the Teredo Server in hexadecimal. Thus all Teredo clients connecting to that server have the same network prefix.
- Say the Teredo Server IPv4 address is 17.23.52.1. You can use the in-built Windows calculator (in Programmer mode) to convert decimal to hex. 17 = 0x11, 23 = 0x17, 52 = 0x34, 1 = 0x1. So 17.23.53.1 in hex would be 1117:3401, resulting in a Teredo network prefix of 2001:0:1117:3401.
- The Teredo server also sets the host portion of the IPv6 address. This consists of some flags and random bits followed by the UDP port the client’s request came from along with the public IPv4 address of the NAT box the client is behind. Thus the host portion is also unique – the uniqueness being provided by the random bits as well as the UDP port of the client request, with some level of uniqueness also being provided by the public IPv4 address of the NAT box (though this is not unique among all clients within that same NAT).
- This way an IPv4 only host behind a NAT can get for itself a global unicast IPv6 address. The next question is how will it send and receive packets to the IPv6 Internet?
- For this Teredo clients need a Teredo Relay (this is usually a separate server, but one could have the Teredo server doubling as a Teredo relay too).
- A Teredo relay is a server set up by an ISP or organization that is happy to act as a “relay” between Teredo clients and IPv6 hosts. The relay advertises to the IPv6 Internet that it can route to the Teredo network prefix 2001:0:/32 (note that it advertises the entire Teredo network prefix, not just a specific network like 2001:0:1117:3401/64).
- So Teredo clients send IPv6 packets encapsulated in IPv4 to the IPv4 address of the Teredo relay. The relay passes it on to the IPv6 Internet as pure IPv6 packets with the source address set to the global unicast Teredo address of the client.
- The relay also receives packets to the Teredo prefix 2001:0:/32 from the IPv6 portion of the Internet and passes it on to the IPv4 clients. It knows which clients to pass these on to so because the host portion of the Teredo client address contains the IPv4 public IPv4 address of the NAT box and UDP port which will be forwarded to the private IPv4 address of the client. So all the relay needs to do is send IPv4 packets (containing IPv6 packets) to this public IPv4 address & UDP port.
- It’s worth emphasizing here that the Teredo relay does not have an IPv6 routing table entry to the Teredo client. Rather, the packet is sent via IPv4. That’s why a relay is able to broadcast the entire 2001:0/32 and get packets for any Teredo client.
- If an IPv6 host on the Internet has both IPv6 and IPv4 addresses it can skip the Teredo relay altogether to send packets to the Teredo client. How? Because when this host receives a packet with source address as that of the Teredo client, it knows from the network prefix that this is a Teredo address, and it knows from the host bits how to contact this client via IPv4. So why go a roundabout way through Teredo relays and such, when it can directly send IPv4 packets (containing IPv6 packets) to the Teredo client? That’s precisely what the host does. This functionality is called Teredo Host Specific Relay – the host acts as its own relay. It does not matter if the IPv4 address of such a host is public or private. The IPv6 address must be a native global unicast address or a 6to4 address (obviously because that’s how it’s reachable on the IPv6 network initially).
This, in a nutshell, is how Teredo works. I think it’s a very cool piece of technology! It’s cool not only in terms of how it allows clients behind NATs to have a global unicast IPv6 address and be able to access the IPv6 Internet, but also in terms of some details I skipped over above like how clients find relays, and how relays punch hole in the firewall/ NAT behind which clients are to enable communication from clients to the IPv6 Internet. Fascinating!
Posted: April 23rd, 2014 | Tags: firewall, nat | Category: Networks | § Imagine Romeo and Juliet are under house arrest by their families. The families don’t allow any phone calls through either, unless it’s from a number Romeo or Juliet had just called out to. So while Romeo or Juliet can call anyone, a call from Romeo to Juliet will be blocked by her family as it’s not in response to a call she had just made. Similarly a call from Juliet to Romeo will be blocked by his family as it’s not in response to a call he made. The two lovers are thus unable to talk to each other, what are they to do?
Here’s one thing they could do. If Juliet were to call Romeo somehow and he were to call her back, then the call would get through. The problem is when Juliet calls Romeo her call is discarded by his family and so there’s no way for Romeo to know she has called him and if he were to call back now it will be let through. But suppose they had a common friend willing to help them, could that make a difference?
What Romeo and Juliet could do is call this mutual friend and not hang up. When Juliet wants to call Romeo she’ll inform the mutual friend who will pass this news on to Romeo. (A nice twist here is that Romeo and Juliet could use burner phones. When they call the mutual friend they’ll pass on their current phone number to the friend who will pass it on to each other. This way the families have no idea what Romeo or Juliet’s current phone numbers are and they can’t block calls to these numbers!). Juliet will then call Romeo’s number. The call will be discarded by Romeo’s family as it is not in response to a call he made, but Juliet’s family does not know that and as far as they are concerned Juliet has just called Romeo and no one answered. Since Romeo knows Juliet will be calling him and getting blocked, he can now call Juliet and his call will be let through as her family thinks its in response to her previous call. The two lovers can thus talk to each other! Happy days!
What I have described here is what’s known as hole punching in Computer networks. The difference being instead of Romeo, Juliet, and their families, you have computers behind firewalls or NAT (Network Address Translation) routers. The computers behind the firewall or NAT are unable to accept incoming packets from the outside world. They can only accept replies to packets they have sent out. To get two such computers talking to each other we need to “punch a hole” in the firewalls. That is, have a third computer somewhere on the Internet that will co-ordinate between them and help with the initial discovery and connection (if any of the computers are behind NATs it is akin to Romeo or Juliet using a burner phone). This third computer doesn’t have to do much except help with the initial phase. And worst case, if the hole punching does not work for any reason, the third computer can act as a “relay” passing packets from one computer to the other.
Posted: February 5th, 2013 | Tags: firewall, networking, windows7, windows8 | Category: Windows | § Just some notes on the Windows Firewall.
- Starting with Windows Vista and Windows Server 2008 you have to use the
netsh advfirewall firewall command-line context to manage the firewall. You still have the netsh firewall context, but that’s just for backward compatibility.
- Starting with Windows Vista and Windows Server 2008 you also have three profiles: domain (which applies when you are connected to a domain), public (for networks you mark as public), and private (for networks you mark as private/ home). Prior to this the firewall only had a domain profile (which is still present) and a standard profile (which now maps to the private profile). So by using the
netsh firewall context you can only modify the domain and private profiles.
netsh advfirewall firewall (show|add|set|delete) commands can be used to view, add, modify, and delete rules. You can’t filter by rule names unfortunately. All you can do is filter for all rules based on their profile and direction (inbound or outbound). Moreover you can’t format the output and neither can you manage multiple rules (except if they are part of a group but then you can’t filter further in terms of “all rules of a particular group that belong to such and such profile”). Very limited, actually.- Starting with Windows 8 and Windows Server 2012 you have PowerShell 3 and this can manage the firewall. Unfortunately, while you can install PowerShell 3 on Windows 7 and Windows Server 2008 R2, it doesn’t have the NetSecurity module which provides the firewall cmdlets. So you can’t manage the firewall on these OSes with PowerShell 3. See this blog post for a list of PowerShell 3 firewall related cmdlets.
|