Show Lecture.TotalitarianNetworking as a slide show.
CT320 Totalitarian Networking
Happytopia
- Welcome to the ecstatic republic of the people of Happytopia!
- In Happytopia, all citizens are happy.
- In Happytopia, we do not permit citizens to hear depressing
news from the outside world.
- Unfortunately, the Internet is a constant problem.
- How can our happy citizens remain happy when they might
hear depressing news from the outside world via the Internet?
Unhappy Information
We need to restrict access to:
- depressing websites:
- messaging facilities:
Access vs. Security
- How many public entrances are there to a mall?
- How many public entrances are there to the White House?
- Why are the answers to those questions different?
Choke Points
- To accomplish this, we need filter network traffic.
- To accomplish that, we need a small number of access points,
or “choke points”, to the outside world.
- Will this affect our network throughput?
- Will this affect our network robustness?
- No price is too great to ensure the happiness of our citizens!
Traffic by port
Any TCP or IP packet is associated with a service, which is mapped to a port:
Port | Name | Expansion | Meaning |
22 | SSH | Secure SHell | ssh/scp commands |
25 | SMTP | Simple Mail Transfer Protocol | send email |
53 | DNS | Domain Name System | host name ⇒ ip address |
80 | HTTP | HyperText Transfer Protocol | world-wide web |
110 | POP3 | Post Office Protocol 3 | fetch email |
123 | NTP | Network Time Protocol | what time is it? |
139 | SMB | Server Message Block | Windows file sharing |
143 | IMAP | Internet Message Access Protocol | fetch email |
194 | IRC | Internet Relay Chat | Chat rooms |
443 | HTTPS | HyperText Transfer Protocol | world-wide web |
2049 | NFS | Network File System | Linux file sharing |
Packet Filtering
- Great! Now, instead of thinking about web pages, or IRC, we can be
reduce the problem to (host, port) pairs. A blacklist:
- Forbid (www.cnn.com, 80)
- Forbid (www.cnn.com, 443)
- Forbid (*, 194)
- Forbid (*, 2049)
- Forbid (*, 139)
- Forbid (*, 22)
- Or, it might be safer to just forbid all ports, and then have
a list of exceptions, a “whitelist”.
DNS access
- To simplify things, forbid all DNS (port 53) access to the outside world.
- Have one DNS server, under our control, inside of Happytopia.
- Reject any reference to cnn.com or bbc.com.
- All other requests can be resolved by having our DNS server query
outside DNS servers.
- Is this really necessary, given that we’re already blocking cnn.com
via packet filtering via its IP address?
Email
- Do not allow any email (SMTP, IMAP, POP3) connections to the outside world.
- Maintain an in-country email server/forwarder.
- Scan email messages for unhappy topics.
- Bounce/drop email if unhappiness found.
- What about encrypted mail?
- What if the message is just an image?
Blame
- When an attempt to access unhappiness is found, what should we do?
- Is it enough to merely drop the packet, fail the connection, bounce the email?
- It might be better to alert the Ministry of Happiness, so that
the potentially unhappy citizen can be cheered up.
- But, how do we know which citizen is responsible?
IP addresses
- Allocate IP addresses from a single central authority.
- If anybody uses a IP address that wasn’t allocated by the central
authority, it will be rejected at the border.
- Keep track of who gets what.
- All IP packets contain a source IP address.
- Unhappy operations can now be traced back to the appropriate citizen.
The End