Network Design Challenges and Solutions

This content discusses various network design challenges such as high bandwidth servers, distributed clients, redundant communication setups, and proposes solutions like SDN implementation, HSRP for first hop redundancy, and ND for system rescue. It explores the implications of disrupting first hop redundancy, fooling servers with same IP different MAC, and using ND for IP resolution between different networks.

• Network Design
• SDN
• First Hop Redundancy
• ND Resolutions
• Server Farm

lamberto Follow

Uploaded on Nov 25, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. ND Spoofing for Fun and Profit ND Spoofing for Fun and Profit Distributing server farm traffic efficiently Distributing server farm traffic efficiently Lutz Donnerhacke IKS Service GmbH

2. The Problem High bandwidth servers Distributed clients Distribute locations Intermediate bandwidth limited Third party appliances Internal communications? Single default gateway No technical contacts Design violation Should buy two clusters R1 R1 192.0.2.10 192.0.2.1 192.0.2.11

3. First Hop Redundancy Single active router HSRP, etc. Failover Traffic flow Deterministic Not optimal Intermediate bandwidth required R1 192.0.2.1 00.11.22.33.44.55 192.0.2.10 192.0.2.11

4. Disturb First Hop Redundancy Prevent FHR communication Both nodes active Complicated, error prone Low latency = local First come, first serve Slow and unstable redundancy Do not disturb the cluster May harm internal communication Hard to operate Always a fail state 192.0.2.1 00.11.22.33.44.55 192.0.2.1 00.11.22.33.44.55 HSRP 192.0.2.10 192.0.2.11

5. SDN for the rescue Inject the router twice MAC into BGP Least cost route Pro Stable Redundant Con (for us) Redesign of core network Expensive 192.0.2.1 00.11.22.33.44.55 192.0.2.1 00.11.22.33.44.55 BGP 192.0.2.10 192.0.2.11

6. Back to the blackboard Different gateways Each server has an other router HSRP still possible Locality depend configuration Communicate with vendor Change application Change rollout Unlikely 192.0.2.2 00.22.33.44.55.66 192.0.2.3 00.22.33.44.55.77 192.0.2.10 192.0.2.11

7. Can we fool the servers? Trivial idea Same IP, different MAC First come, first server Fails in practice Duplicate IP detection Missing ND responses Core in danger 192.0.2.1 00.22.33.44.55.66 192.0.2.1 00.22.33.44.55.77 192.0.2.10 192.0.2.11

8. ND for the rescue Router IPs from different networks Down: Host routes to interface ND-Server Fake ND responses Rule based: who, whom, what Can respond with HSRP-MACs Server Automatically learn optimal MAC 00.22.33.44.55.66 00.22.33.44.55.77 192.168.0.2 ...10 -> ...66 ...11 -> ...67 192.0.2.10 192.0.2.11

9. Background xDSL networks Carrier blocks Customers need PARPD Rule based ARP/ND responder Sources https://lutz.donnerhacke.de/Blog/ Proxy-ARP-daemon https://bugs.freebsd.org/bugzilla/ show_bug.cgi?id=223594