1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授. 2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge.

1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授

2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge

3 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge

4 實驗目的與設備實驗目的  熟悉 IEEE 802.11 無線區域網路通訊協定  在 Linux 作業系統上安裝 Wireless LAN card  將 PC 設定為具有橋接器 (Bridge) 和 NAT (Network Address Translation) 功能的 Access Point (AP)  將 PC 設定為具有加密 (WEP) 功能的 Access Point

5 實驗目的與設備實驗設備  個人電腦一部  無線區域網路網卡  Linux OS 2.6  乙太網路網卡一張  Public IP address  測試電腦

6 Outline 實驗環境與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge

7 實驗所需相關知識 -WLAN Stimulated by availability of unlicensed spectrum  U.S. Industrial, Scientific, Medical (ISM) bands  902-928 MHz, 2.400-2.4835 GHz, 5.725-5.850 GHz IEEE 802 Family Tree

8 實驗所需相關知識 -WLAN IEEE 802.11 Standards

9 實驗所需相關知識 -WLAN Nomenclature  Distribution System: a logical component of 802.11 used to forward frames to their destinations  Access Points: perform the wireless-to-wired bridging function  Wireless Medium  Stations

10 實驗所需相關知識 -WLAN Basic Service Set (BSS)  Group of stations that coordinate their access using a given instance of MAC  Located in a Basic Service Area (BSA)  Stations in BSS can communicate with each other  Distinct collocated BSS’s can coexist

11 實驗所需相關知識 -WLAN Types of Networks  Independent networks (indep. basic service set, IBSS), also known as ad hoc networks.  Infrastructure networks

12 實驗所需相關知識 -WLAN Infrastructure BSS  Two advantages for infrastructure networks The mobile stations need not to maintain neighbor relationships. Access points assist with stations attempting to save power  In an infrastructure network, stations must associate with an AP to obtain network services. (equivalent to plug in the network cable)

13 實驗所需相關知識 -WLAN Extended Service Set  An extended service set (ESS) is created by chaining BSSs together with a backbone network (or distribution System, DS)  All the access points in an ESS are given the same service set identifier (SSID), which serves as a network "name" for the users

14 實驗所需相關知識 -WLAN

15 實驗所需相關知識 -WLAN  For stations in an ESS to communicate with each other, the wireless medium must act like a single layer 2 connection.  Access points act as bridges, so direct communication between stations in an ESS requires that the backbone network also look like a layer 2 connection

16 實驗所需相關知識 -WLAN Distribution System  The distribution system is responsible for tracking where a station is physically located and delivering frames appropriately.  The backbone Ethernet is the distribution system medium, but it is not the entire distribution system.

17 實驗所需相關知識 -WLAN  The distribution system is composed of the bridging engine plus the wired backbone network  Every frame sent by a mobile station in an infrastructure network must use the distribution system.

18 實驗所需相關知識 -WLAN Overlapping Network Types

19 實驗所需相關知識 -WLAN 802.11 Network Operations  802.11 is sometimes referred to as "wireless Ethernet”  Stations are identified by 48-bit IEEE 802 MAC addresses.  Conceptually, frames are delivered based on the MAC address.  Frame delivery is unreliable, though 802.11 incorporates some basic reliability mechanisms to overcome the inherently poor qualities of the radio channels it uses

20 實驗所需相關知識 -WLAN Physical Carrier Sensing  Analyze all detected frames  Monitor relative signal strength from other sources Virtual Carrier Sensing at MAC sublayer  Source stations informs other stations of transmission time (in msec) for an MPDU (MAC PDU)  Carried in Duration field of RTS & CTS & DATA  Stations adjust Network Allocation Vector to indicate when channel will become idle Channel busy if either sensing is busy

21 實驗所需相關知識 -WLAN Distributed Coordination Function (DCF)  provides basic access service  Asynchronous best-effort data transfer  All stations contend for access to medium CSMA-CA  Ready stations wait for completion of transmission  All stations must wait Interframe Space (IFS) DIFS PIFS SIFS Contention window Next frame Defer access Wait for reattempt time Time Busy medium

22 實驗所需相關知識 -WLAN Frame Structure  MAC Header: 30 bytes  Frame Body: 0-2312 bytes  CRC: CCITT-32 4 bytes CRC over MAC header & frame body Address 2 Frame Control Duration/ ID Address 1 Address 3 Sequence control Address 4 Frame body CRC 22666260-23124 MAC header (bytes)

23 實驗所需相關知識 -WLAN Frame Control (1)  Protocol version = 0  Type: Management (00), Control (01), Data (10)  Subtype within frame type Type=00, subtype=association; Type=01, subtype=ACK  MoreFrag=1 if another fragment of MSDU to follow Address 2 Frame Control Duration/ ID Address 1 Address 3 Sequence control Address 4 Frame body CRC Protocol version TypeSubtype To DS From DS More frag Retry Pwr mgt More data WEPRsvd 22666260-23124 2 2 MAC header (bytes) 411111111

24 實驗所需相關知識 -WLAN Frame Control (2)  Retry=1 if mgmt/control frame is a retransmission  Power Management to put station in/out of sleep mode  More Data =1 to tell station in power-save mode more data buffered for it at AP  WEP=1 if frame body encrypted Address 2 Frame Control Duration/ ID Address 1 Address 3 Sequence control Address 4 Frame body CRC Protocol version TypeSubtype To DS From DS More frag Retry Pwr mgt More data WEPRsvd 22666260-23124 2 2 MAC header (bytes) 411111111

26 實驗所需相關知識 -WEP WEP: Wired Equivalent Privacy  WEP requires the use of the RC4 cipher (stream cipher) Generic Stream Cipher Operation

27 實驗所需相關知識 -WEP  Most stream ciphers operate by taking a relatively short secret key and expanding it into a pseudorandom keystream the same length as the message.  The pseudorandom random number generator (PRNG) is a set of rules used to expand the key into a keystream.

28 實驗所需相關知識 -WEP WEP Data Processing

29 實驗所需相關知識 -WEP WEP Framing  IV header: 24-bit IV pad =0 key id identifies the default key that was used to encrypt the frame. up to 4 default keys  ICV: a 32-bit CRC of the data frame.

30 實驗所需相關知識 -WEP Key Distribution  The WEP key must be distributed to all stations. Typically you type keys into your device drivers or AP by hand. Key cannot be considered secret If keys are accessible to user, then all keys must be changed whenever staff members leave the organization. Publish the key  In Aug. 2001, S Fluhrer, I. Mantin, & A. Shamir describe a theoretical attack on WEP.

32 實驗所需相關知識 -NAT Class A, B, and C addresses have been set aside for use within private internets  Packets with private (“unregistered”) addresses are discarded by routers in the global Internet NAT (RFC 1631): method for mapping packets from hosts in private internets into packets that can traverse the Internet  A device (computer, router, firewall) acts as an agent between a private network and a public network  A number of hosts can share a limited number of registered IP addresses Static/Dynamic NAT: map unregistered addresses to registered addresses Overloading: maps multiple unregistered addresses into a single registered address (e.g. Home LAN)

33 實驗所需相關知識 -NAT Hosts inside private networks generate packets with private IP address & TCP/UDP port #s NAT maps each private IP address & port # into shared global IP address & available port # Translation table allows packets to be routed unambiguously NAT Device Private Network Public Network 192.168.0.13;w 192.168.0.10;x Address Translation Table: 192.168.0.10; x 128.100.10.15; y 192.168.0.13; w 128.100.10.15; z 128.100.10.15;y 128.100.10.15; z

34 iptables iptables 是一個已經發展許久的軟體，主要的功能是在 IPv4 的環境中建立防火牆，根據事先設定好的防火牆規則去處理每一個進來的封包，做出相對應的動作，這些動作稱為 Target ，有可能是接受 (ACCEPT) 、丟棄 (DROP) 等。 iptables 也被使用於建立 NAT 伺服器。

35 iptables structure

36 Iptables Rules/Chains 不管使用哪一種防火牆，基本上都是設定防火牆規則 ( Rules ) 來規範封包的處理。 Iptables 將不同的規則集合起來，放進不同的鏈 (Chains) 中以備查用。 Iptables 有五個內建鏈 (Built-in Chains) ，分別是﹕ PREROUTING 、 INPUT 、 OUTPUT 、 FORWARD 與 POSTROUTING INPUT 與 OUTPUT ，用於對那些與本機處理 (Local Process) 相關的封包  對於一個從網路界面傳入的封包，如果它是送給本地端的封包才算是 INPUT ，至於將從一個網路界面送出的封包，如果這個封包是從本地端產生的才算是 OUTPUT  那些與傳入 / 傳出本機無關的封包，則是屬於 FORWARD ( 既不是 INPUT 也不是 OUTPUT)  PREROUTING 是在接收封包後，還未做路由判斷之前做規則的檢查  POSTROUTING 則是針對即將送出的封包 ( 做完 FORWARD 或是 OUTPUT 檢查後 ) 做規則檢查

37 Options -t 【列表名稱】  每ㄧ規則都有存放規則的列表，在 Iptables 中存在三種列表， mangle 、 nat 與 filter 列表，但在 Ip6tables 中並沒有 nat 的列表。 Mangle 列表主要存放關於修改封包的規則， nat 列表主要存放關於架設 NAT 伺服器做的 IP 位址轉換之用， filter 列表用來做封包的過濾。 -A 【檢查點】  新增或是刪除規則，新增為 A (Add) ，刪除為 D (Delete) 。後面接的檢查點可以是五個內建鏈的其中一項。 -i 【介面名稱】  攔截規則 1 ，指定從某個介面接收的封包才會被攔截。 -s 【 IP 位址】  攔截規則 2 ，指定封包的來源地為設定的 IP 位址時，才會被攔截。 -d 【 IP 位址】  攔截規則 3 ，指定封包的目的地為設定的 IP 位址時，才會被攔截。 -j 【 Target 名稱】  j 指的是 Jump ，當設定的規則全部符合時，就把封包攔截下來，並使用參數後面指定的 Target 為處理動作 --oif 【介面名稱】  Oif 指的是 Outgoing Interface ，這是 ROUTE Target 才能使用的參數，用來設定封包的導出介面。

39 實驗所需相關知識 -DHCP Dynamic Host Configuration Protocol (RFC 2131) BOOTP (RFC 951, 1542) allows a diskless workstation to be remotely booted up in a network  UDP port 67 (server) & port 68 (client) DHCP builds on BOOTP to allow servers to deliver configuration information to a host  Used extensively to assign temporary IP addresses to hosts  Allows ISP to maximize usage of their limited IP addresses

40 實驗所需相關知識 -DHCP DHCP Operation  Host broadcasts DHCP Discover message on its physical network  Server replies with Offer message (IP address + configuration information)  Host selects one offer and broadcasts DHCP Request message  Server allocates IP address for lease time T Sends DHCP ACK message with T, and threshold times T1 (=1/2 T) and T2 (=.875T)  At T1, host attempts to renew lease by sending DHCP Request message to original server  If no reply by T2, host broadcasts DHCP Request to any server

41 實驗所需相關知識 -DHCP DHCP server: 223.1.2.5 arriving client time DHCP discover src : 0.0.0.0, 68 dest.: 255.255.255.255,67 yiaddr: 0.0.0.0 transaction ID: 654 DHCP offer src: 223.1.2.5, 67 dest: 255.255.255.255, 68 yiaddrr: 223.1.2.4 transaction ID: 654 Lifetime: 3600 secs DHCP request src: 0.0.0.0, 68 dest:: 255.255.255.255, 67 yiaddrr: 223.1.2.4 transaction ID: 655 Lifetime: 3600 secs DHCP ACK src: 223.1.2.5, 67 dest: 255.255.255.255, 68 yiaddrr: 223.1.2.4 transaction ID: 655 Lifetime: 3600 secs

43 實驗所需相關知識 -Bridge Operation at data link level must deal with  Difference in MAC formats  Difference in data rates; buffering; timers  Difference in maximum frame length PHY MAC LLC Network PHY MAC LLC 802.3 802.11 802.3 802.11 CSMA/CD CSMA/CA

44 實驗所需相關知識 -Bridge Bridge/switch vs. router  both store-and-forward devices routers: network layer devices (examine network layer headers) switches are link layer devices routers maintain routing tables, implement routing algorithms switches maintain switch tables, implement filtering, learning algorithms

45 Kernel network parameters /proc/sys/net  /proc/sys/net/ipv4/ip_forward 是否要核心轉送封包預設是關閉的

1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授. 2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge.

Similar presentations

Presentation on theme: "1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授. 2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭 教授. 2 Outline 實驗目的與設備 實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge.

Similar presentations

Presentation on theme: "1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭 教授. 2 Outline 實驗目的與設備 實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge."— Presentation transcript:

Similar presentations

About project

Feedback

1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授. 2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge.

Presentation on theme: "1 網路實驗 - 安裝無線區域網路網卡以及架設 AP 授課教師 : 侯廷昭教授. 2 Outline 實驗目的與設備實驗所需相關知識  WLAN 技術  WEP 技術  NAT 技術 iptables  DHCP 技術  Bridge."— Presentation transcript: