Charlas 11-12-2000 Umeet'2000

Charlas 11/12/2000

Log de la conferencia. Se han suprimido las líneas correspondientes a entradas y salidas de diferentes personas en el canal durante la conferencia

[22:15] *** fernand0 changes topic to 'Horacio Peña "Policy-routing" (english version) español -> #media portugues -> #educa '
[22:08] (fernand0> va a empezar en breves instantes
[22:08] (fernand0> la conferencia de horacio peña
[22:08] (Borja> :-)
[22:08] (fernand0> me dicen que está disponible en tres idiomas
[22:08] (fernand0> a saber:
[22:08] (fernand0> español -> #media
[22:08] (fernand0> inglés -> #linux
[22:08] (fernand0> portugúes -> #educa
[22:09] (Ricardo> :)
[22:09] (fernand0> en un par de minutos comenzamos
[22:09] (Ricardo> Uf
[22:09] (Ricardo> Justito
[22:09] (Hue-Bond> cambiad el topis :)
[22:09] (fernand0> justito ?
[22:09] (fernand0> bond
[22:09] (fernand0> hue bond
[22:09] (fernand0> nunca puedo evitarlo
[22:09] (fernand0> 0:)
[22:09] (fernand0> no hay ops en este canal ?
[22:09] (fernand0> XD
[22:10] (fernand0> gracias
[22:10] (Kerberos> rez
[22:10] (Kerberos> I hate alt+f4-binding-style ;p
[22:10] (Salvage> ya empezo la conferencia?
[22:10] (Ricardo> }:))
[22:10] (Ricardo> Ya estamos en español, Kerberos :)
[22:10] (Ricardo> (o eso parece)
[22:10] (fernand0> español -> #media
[22:10] (fernand0> inglés -> #linux
[22:10] (fernand0> portugúes -> #educa
[22:10] (Kerberos> ya, pero me sigue cayendo mal :(
[22:11] (fernand0> Hola,
[22:11] (fernand0> tenemos el gusto de presentarles ahora al siguiente conferenciante. Se
[22:11] (fernand0> trata de Horacio Peña.
[22:11] (fernand0> Hace tantas cosas que es difícil resumirlas en poco espacio, sin cansarles:
[22:11] (fernand0> estudia matemáticas e informática, trabaja y ayuda a mantener UniNet tal
[22:11] (fernand0> como es. Sus contribuciones al mundo del unix y del software libre también
[22:11] (fernand0> han sido importantes y numerosas, basta con buscar su nombre con nuestro
[22:11] (fernand0> buscador favorito para ver contribuciones suyas en muchos y diferentes
[22:11] (fernand0> lugares.
[22:11] (fernand0> Su presentación se titula: Policy Routing
[22:11] (fernand0> Se va a desarrollar en tres idiomas:
[22:11] (fernand0> español -> #media
[22:11] (fernand0> inglés -> #linux
[22:11] (fernand0> portugúes -> #educa
[22:12] (fernand0> Horacio ...
[22:12] (Salvage> fernando la traduccion es simultanea?
[22:12] (fernand0> si salvage
[22:12] (Horape> Uses of policy routing: a little survey.
[22:12] (Horape> ----------------------------------------
[22:13] (Horape> More than two years ago, when linux 2.2 was going to be released,
[22:14] (Horape> I was the first one trying to document the then new policy
[22:14] (Horape> routing capabilities of linux. To tell it shortly, policy routing
[22:14] (Horape> let the routing decisions be based on originating address, TOS
[22:14] (Horape> field of IP header or higher level protocols' attributes
[22:15] (Horape> (ie, TCP or UDP ports) instead of only destination address as in
[22:15] (Horape> standard routing.
[22:15] (Horape> The original micro-HOWTO i wrote can be seen at
[22:15] (Horape> http://compendium.ar.uninet.edu/policy-routing.txt. Some
[22:15] (Horape> time ago i stopped mantaining it, because the "Advanced Routing HOWTO",
[22:15] (Horape> now in works, is planned to include the subject more
[22:16] (Horape> deeply (http://www.ds9a.nl/2.4Routing/)
[22:16] (Horape> These years since I wrote it, I've received lots of questions and i'll
[22:16] (Horape> be basing me on these to show this little survey of policy routing's
[22:16] (Horape> uses.
[22:17] (Horape> - Client based routing.
[22:17] (Horape> That's the simplest policy routing's use. We create some routing tables
[22:17] (Horape> and the rules to choose them are determined by source IP address. For
[22:22] (Horape> example:
[22:23] (Horape> # 1st routing table
[22:23] (Horape> ip route add 0.0.0.0/0 dev ippp0 table 100
[22:23] (Horape> # 2nd routing table
[22:23] (Horape> ip route add 0.0.0.0/0 via 10.0.2.3 dev eth1 table 101
[22:23] (Horape> # Routing rules
[22:24] (Horape> ip rule add from 192.168.0.0/16 table 100
[22:24] (Horape> ip rule add from 10.0.0.0/8 table 101
[22:24] (Horape> In the example, the traffic from the 192.168 network will be routed via
[22:24] (Horape> ISDN and the 10's one via the router at 10.0.2.3.
[22:25] (Horape> - Service based routing.
[22:25] (Horape> That's the most common and the one i've being asked
[22:25] (Horape> most often about. A tipical scenario has two links with different features
[22:25] (Horape> and costs, and we want to distribute the traffic depending on the services.
[22:25] (Horape> To do it we'll need firewall's marking capabilities. Example:
[22:26] (Horape> Let's assume that iface0 is a low-throughput, low-delay link
[22:26] (Horape> and iface1 is a high-throughput, high-delay link. It's reasonable to want
[22:26] (Horape> to send interactive traffic via iface0 and normal traffic via iface1.
[22:26] (Horape> # Routing tables
[22:26] (Horape> ip route add 0.0.0.0/0 dev iface0 table 100 # low latency routing table
[22:26] (Horape> ip route add 0.0.0.0/0 dev iface1
[22:27] (Horape> # Mark ssh traffic as interactive
[22:27] (Horape> ipchains -I input -p tcp -d 0/0 22 -m 2
[22:27] (Horape> # Marked packets go via low-latency routing table
[22:27] (Horape> ip rule add fwmark 2 table 100
[22:28] (Horape> Often these routing schemes use IP Masquerade. As IPMasq determines
[22:28] (Horape> what address to use based on routing decisions, packets come back
[22:28] (Horape> via the same links that were used when going.
[22:28] (Horape> Playing with this things is very interesting and funny. As example
[22:28] (Horape> for the reader you could let the connection establishment going via
[22:29] (Horape> the fast connection and the data traffic via the cheap link.
[22:29] (Horape> Notice that before netfilter's advent (2.3 series of linux kernel)
[22:29] (Horape> service based routing couldn't be used for connections where the
[22:29] (Horape> router itself was involved. That was because the packet marking was
[22:29] (Horape> done in the 'input' chain, that locally generated packets don't
[22:29] (Horape> travel by. Netfilter provides the NF_IP_LOCAL_OUT hook that allows marking locally
[22:30] (Horape> generated packets. There is more information about netfilter in
[22:30] (Horape> http://umeet.uninet.edu/english/pres.eng.html
[22:30] (Horape> - "Independent Multi-ISP Connection"
[22:30] (Horape> It was introduced to me with this name a scenario where an
[22:31] (Horape> educational network in Canada provided satellital connection
[22:31] (Horape> to internet to its users. The users used PPP to connect to
[22:31] (Horape> their local ISPs and their requests were sent to a proxy
[22:31] (Horape> that answered via the satellital link. As the addresses of
[22:31] (Horape> the clients hadn't got any pattern that let's determine that
[22:31] (Horape> they are so we decided that any proxy's answer would be sent
[22:31] (Horape> via the satellite link.
[22:32] (Horape> ip route add 0/0 dev sat0 table 100
[22:32] (Horape> ipchains -I input -p tcp -s proxy 3128 -m 2
[22:32] (Horape> ip rule add fwmark 2 table 100
[22:33] (Horape> - Honey pots.
[22:33] (Horape> Honey pots are utilized for studying the methods the crackers use
[22:33] (Horape> to attack systems. We need to direct the attacks to the honey pot.
[22:33] (Horape> What better way that making the legit servers part of the honey
[22:33] (Horape> pot? Or at least seem to be...
[22:34] (Horape> The approach described here was designed jointly with Juan
[22:34] (Horape> Manuel Pascual Escribá, who I believe has implemented it in his
[22:34] (Horape> servers (I tried to contact him for confirmation, but i haven't
[22:34] (Horape> got any answer yet) We made the honey pot have the same addresses
[22:34] (Horape> that legit servers and directed all the traffic for that addresses
[22:34] (Horape> that wasn't related to the real services to the honey pot.
[22:35] (Horape> (Assume a web server with IP address 10.5.6.7 on the segment
[22:35] (Horape> connected to eth0 on the router and the honey pot with the same
[22:35] (Horape> address in the segmente connected to eth1)
[22:35] (Horape> # Routing tables
[22:35] (Horape> ip route 10.5.6.0/24 dev eth0 table 100 # Real
[22:36] (Horape> ip route 10.5.6.0/24 dev eth0 # Packets go to the honey pot by default
[22:36] (Horape> # Mark legit packets
[22:36] (Horape> ipchains -I input -p tcp -d 10.5.6.7 80 -m 2
[22:36] (Horape> # Legit packets go to the real server
[22:37] (Horape> ip rule add fwmark 2 table 100
[22:37] (Horape> --------------
[22:37] (HoraPe> we'll wait a bit until the translations finish and continue with the Q&A session
[22:38] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (MJesus> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:38] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (MJesus> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:38] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (MJesus> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:38] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (Borja> plas plas plas plas plas
[22:38] (fernand0> plas plas plas plas plas plas plas
[22:38] (HoraPe> ok, we're done. I'll continue in spanish but i'll answer questions in the same
[22:38] (MJC> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (Ricardo> :))))
[22:38] (Ricardo> :))))
[22:38] (MJC> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:38] (MJC> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (MJC> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:38] (MJC> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:38] (MJC> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:39] (HoraPe> language they're asked (english or spanish only :-)
[22:39] (fernand0> plas plas plas plas plas plas plas
[22:39] (telo> plas plas plas plas plas
[22:39] (elpacheco> plas plas plas plas pplas plas plas plas plas
[22:39] (Horape> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:39] (MJC> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:39] (MJC> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[22:39] (fernand0> plas plas plas plas plas plas plas
[22:39] (fernand0> plas plas plas plas plas plas plas
[22:39] (MJC> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[22:39] (elpacheco> plas plas plas plas plas plas plas plas
[22:39] (maz> plas plas plas plas plas plas
[22:39] (maz> plas plas plas plas plas plas
[22:39] (maz> plas plas plas plas plas plas
[22:39] (maz> plas plas plas plas plas plas
[22:39] (HoraPe> Quiero agradecer a Fernando M. Roxo da Motta, por la traducción a portugués.
[22:39] (elpacheco> plas plas plas plas plas plas plas
[22:40] (HoraPe> A MJesus y a Fernand0 por obligarme a dar esta charla (incluyendo amenazas y golpizas)
[22:40] (maz> y al espanol?
[22:40] (maz> jajajajajaja
[22:40] (fernand0> pegamos flojo eh ?
[22:40] * MJesus mira al techo silbando.... esas cosas fueron culpa de fernando y de borja
[22:41] (HoraPe> Durante la próxima media hora seguiremos con preguntas si alguién quiere hacerlas (no mucho más ya que al igual que nik tengo una novia que me está gruñendo para que nos vayamos...)
[22:41] (Ricardo> No te excuses, HoraPe :) Ha estado muy bien :)
[22:41] (Horape> hace bien hace bien,.....
[22:41] (fernand0> benditas novias
[22:41] (fernand0> y mujeres
[22:41] (Hue-Bond> mujeres
[22:41] (HoraPe> [Flor!flor@192.168.0.10] Cuando nos vamos???
[22:41] (maz> cierto
[22:41] (Hue-Bond> :D
[22:41] (maz> una pregunta
[22:41] (fernand0> y demás familia
[22:41] (Flor> yo no dije eso!!
[22:41] (Ricardo> Uh
[22:41] (maz> alguno de ustedes a configra el Cisco Security
[22:42] (maz> haja
[22:42] (Ricardo> Flor
[22:42] (Ricardo> No seas mala con él
[22:42] (Ricardo> Toma ejemplo de mi novia, que es muy abnegada
[22:42] (Ricardo> X)
[22:42] (maz> lo estan desmintiendo
[22:42] (Hue-Bond> HoraPe: ese es el orden? ip route; ipchains; ip rule
[22:42] (Ricardo> :DDDDDD
[22:42] (Flor> lo que pasa es que el que se quiere ir rápido es él, y me usa como excusa....
[22:42] (Ricardo> Flor: Suele pasar ;)))
[22:42] (Hue-Bond> Ricardo: la mia es resignada :)
[22:42] (HoraPe> Hue-Bond: no hay un orden necesario
[22:42] (Salvage> HoraPe es u mentirosillo
[22:42] (HoraPe> las tablas pueden llenarse estén o no referenciadas por reglas
[22:43] (fernand0> bienvenida flor :)
[22:43] (HoraPe> las reglas pueden referenciar tablas que no hayan sido creadas
[22:43] (Flor> gracias
[22:43] (HoraPe> pero ese orden tiene la ventaja de que empieza a funcionar todo a la vez
[22:43] (Hue-Bond> HoraPe: ok. mi ultima pregunta: no entiendo esto: ip route 10.5.6.0/24 dev eth0 # Packets go to the honey pot by default
[22:43] (Hue-Bond> que pasa si no se pone table?
[22:43] (HoraPe> dado que las rutas las agregas antes de que estén las reglas no son llamadas hasta que no estén estas
[22:43] (elpacheco> ?
[22:44] (HoraPe> si no se pone table va a la tabla "main"
[22:44] (elpacheco> ?
[22:44] (HoraPe> que está referenciada en el conjunto de reglas por default
[22:44] (Hue-Bond> ah reglas por default :)
[22:44] (HoraPe> cuando usas ruteo tradicional solamente usas esa tabla
[22:44] (HoraPe> las reglas por default son:
[22:44] (HoraPe> 0: from all lookup local
[22:45] (HoraPe> (la tabla local se llena cuando asignas direcciones a las interfaces)
[22:45] (HoraPe> 32766: from all lookup main
[22:45] (elpacheco> ?
[22:45] (HoraPe> (es la tabla a la que van las rutas cuando no especificas otra cosa)
[22:45] (HoraPe> 32767: from all lookup default
[22:45] (HoraPe> los números son las prioridades
[22:45] (HoraPe> menor número implica más importancia de la regla
[22:45] (elpacheco> ?
[22:46] (HoraPe> elpacheco: pregunta directamente
[22:46] (Hue-Bond> donde hay una brujula? %-/
[22:46] (elpacheco> y como es que no te crean problema
[22:46] (Salvage> Pregunta:
[22:46] (elpacheco> al tener dos maquinas con el mismo IP
[22:46] (elpacheco> para poder hacer esa red de trampa ?
[22:47] (Salvage> estmos hablando de hacer routing en una maquina Linux , con que version del Kernel y con que paquete de routing?
[22:47] (Salvage> para estar un poco mas claro
[22:47] (HoraPe> contesto primero a Salvage que es mas facil: 2.1 en adelante
[22:47] (elpacheco> con red hat 6.2
[22:47] (HoraPe> usando iproute2
[22:47] (Salvage> okis
[22:47] (HoraPe> en los ejemplos uso ipchains, pero si tienes 2.3 puedes hacer todo (y más) con netfilter
[22:48] (HoraPe> elpacheco: ahora te contesto a tí
[22:48] (HoraPe> sí puede generar problemas
[22:48] (HoraPe> tienes que hacerlo con muchísimo cuidado
[22:48] (HoraPe> primero determinas qué tráfico es legítimo para el server involucrado
[22:48] (HoraPe> suponte que es un server de web
[22:49] (HoraPe> no va a hacer otra cosa que contestar a los pedidos de web
[22:49] (elpacheco> entonces, con esta linea marcas el trafico para tu server "ipchains -I input -p tcp -d 10.5.6.7 80 -m 2"
[22:49] (elpacheco> y tambien evitas ese problema ?
[22:49] (HoraPe> y hacer consultas de dns al server local (lo que no necesita pasar por el firewall)
[22:50] (HoraPe> entonces con esa regla permites que las consultas de web lleguen al equipo que corresponde
[22:50] (HoraPe> y el resto lo tiras a la red trampa
[22:50] (Salvage> esta cadena se tiene que poner en el servidor web , o en la maquina que hace de router en mi red?
[22:50] (HoraPe> el análisis de qué tráfico es válido puede ser muy complicado a veces
[22:51] (HoraPe> esa cadena la pones en el firewall, que está conectado al segmento donde está el server real, al segmento de la red trampa y al router que te da conexión a internet
[22:51] (Salvage> ok
[22:51] (HoraPe> el tráfico que no es legítimo no llega nunca al server real
[22:51] (HoraPe> sino que es interceptado y redirigido a la red trampa
[22:52] (Hue-Bond> pero se puede hacer con dos IPs internas tambien no?
[22:52] (Hue-Bond> distintas
[22:52] (HoraPe> no entiendo el planteo
[22:52] (Hue-Bond> el trafico legitimo se manda a 10.5.6.7
[22:53] (Hue-Bond> y el resto a, digamos, 10.6.7.8
[22:53] (HoraPe> puedes hacer una red trampa con direcciones distintas, pero no puedes redirigirle los ataques contra tu server real
[22:53] (Hue-Bond> no se puede hacer asi?
[22:53] (elpacheco> se eupone que para poder hacer esa red de trampa se tiene que tomar un numero de IP
[22:53] (elpacheco> y ponerlo en dos maquinas distintas...
[22:53] (elpacheco> una seria la real
[22:53] (HoraPe> (salvo haciendo nat y vuelves a un caso que es a todos los efectos prácticos exactamente igual)
[22:53] (elpacheco> y la otra no
[22:54] (Hue-Bond> en las direcciones que diste al principio hay ma info verdad? :)
[22:54] (Hue-Bond> mas
[22:54] (HoraPe> Hue-Bond: y como haces para que la máquina 10.6.7.8 responda como la 10.5.6.7 sin ponerle esa dirección también?
[22:55] (HoraPe> Hue-Bond: en las direcciones que di hay mas informacion sobre iproute2
[22:55] (Salvage> al poner una misma direccion a dos ethernets en tu red no te crea problemas?
[22:55] (Hue-Bond> hmm
[22:56] (HoraPe> sobre el funcionamiento de las redes trampa va a haber en estos días una charla de pask, que es con quien hemos ideado este sistema (y creo que él lo ha implementado en sus redes)
[22:56] (HoraPe> Salvage: no las pones sobre el mismo segmento
[22:56] (HoraPe> la red trampa está separada por el firewall de la red real
[22:56] (Hue-Bond> si, ya he visto que esta programado
[22:56] (elpacheco> aaaaahhhhh, ok ya cache, como funciona.
[22:56] (HoraPe> Salvage: y te digo lo mismo que a elpacheco, es complicado, si no haces el analisis previo muy cuidadosamente te puedes encontrar sorpresas
[22:58] (Salvage> ya
[22:58] (Salvage> el firewall es el que hace el trabajo de redireccionarte al otro segmento de red, cierto?
[22:58] (HoraPe> claro
[22:59] (HoraPe> determina qué tráfico es válido y cuál no y según eso lo manda a un equipo u otro
[23:00] (HoraPe> Hue-Bond: la charla de pask sobre honey pots está programada para el 14 a las 22.30 CET
[23:00] (Hue-Bond> si, ya lo tengo en mi ~/calendar :)
[23:01] (Salvage> esto funciona indistintamente con direcciones publicas y privadas?
[23:02] (HoraPe> Salvage: si es un servidor de web público vas a tener que usar direcciones públicas (sino no será accesible desde internet), si quieres pescar atacantes internos puedes hacerlo también con direcciones reservadas
[23:04] (Hue-Bond> bueno
[23:04] (Hue-Bond> señor HoraPe, mushas gracias por compartir sus conocimientos con estos pobres mortales :)
[23:06] (fernand0> Bueno
[23:06] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[23:06] (MJesus> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[23:06] (MJesus> 4plas 5plas 6plas 7plas 8plas 9plas 10plas 11plas 12plas 13plas
[23:06] (MJesus> 4clap 5clap 6clap 7clap 8clap 9clap 10clap 11clap 12clap 13clap
[23:06] (fernand0> este es un momento perfecto para agradecer al conferenciante
[23:06] (fernand0> su presencia aqui
[23:06] (fernand0> Tmabien agradecerles a todos ustedes su asistencia
[23:06] (fernand0> recordarles que el log de la charla se publicará tan pronto como sea posible en nuestra web
[23:06] (fernand0> y que este interesante debate puede continuar en los foros habituales
[23:07] (fernand0> Mañana el día está dedicado a la presentación de ponencias libres
[23:07] (fernand0> permanezcan atentos a sus pantallas
[23:07] (fernand0> :)
[23:07] (fernand0> tambien se desarrollara una interesantisima conferencia sobre telemedicina
[23:09] (MJesus> bueno, genial.....
[23:09] (MJesus> como era de esperar
[23:09] (telo> una pregunta .. cuales son la herramientas para el control de ancho de banda ? tengo entendido que se usa . iproute2 cbq share y otras mas ..
[23:10] (fernand0> naturalmente pueden continuar charlando en el canal sobre el tema de la conferencia y otros de su inters
[23:10] (HoraPe> dentro del grupo de utilidades de iproute2 está el tc (traffic control)
[23:11] (HoraPe> se puede encontrar una introducción buena en el advanced routing howto mencionado antes
[23:11] *** fernand0 (ftricas@prometeo.cps.unizar.es) Quit (Leaving)
Y seguimos un buen rato más charlando...

Contact: