See this page as a slide show
CT320: Totalitarian Networking
- Welcome to the ecstatic republic of the people of Happytopia!
- In Happytopia, all citizens are happy.
- In Happytopia, we do not permit citizens to hear depressing
news from the outside world.
- Unfortunately, the Internet is a constant problem.
- How can our happy citizens remain happy when they might
hear depressing news from the outside world via the Internet?
We need to restrict access to:
- depressing websites:
- messaging facilities:
Access vs. Security
- How many public entrances are there to a mall?
- How many public entrances are there to the White House?
- Why are the answers to those questions different?
- To accomplish this, we need filter network traffic.
- To accomplish that, we need a small number of access points,
or “choke points”, to the outside world.
- Will this affect our network throughput?
- Will this affect our network robustness?
- No price is too great to ensure the happiness of our citizens!
Traffic by port
Any TCP or IP packet is associated with a service, which is mapped to a port:
|22||SSH||Secure SHell||ssh/scp commands|
|25||SMTP||Simple Mail Transfer Protocol||send email|
|53||DNS||Domain Name System||host name ⇒ ip address|
|80||HTTP||HyperText Transfer Protocol||world-wide web|
|110||POP3||Post Office Protocol 3||fetch email|
|123||NTP||Network Time Protocol||what time is it?|
|139||SMB||Server Message Block||Windows file sharing|
|143||IMAP||Internet Message Access Protocol||fetch email|
|194||IRC||Internet Relay Chat||Chat rooms|
|443||HTTPS||HyperText Transfer Protocol||world-wide web|
|2049||NFS||Network File System||Linux file sharing|
- Great! Now, instead of thinking about web pages, or IRC, we can be
reduce the problem to (host, port) pairs. A blacklist:
- Forbid (www.cnn.com, 80)
- Forbid (www.cnn.com, 443)
- Forbid (*, 194)
- Forbid (*, 2049)
- Forbid (*, 139)
- Forbid (*, 22)
- Or, it might be safer to just forbid all ports, and then have
a list of exceptions, a “whitelist”.
- To simplify things, forbid all DNS (port 53) access to the outside world.
- Have one DNS server, under our control, inside of Happytopia.
- Reject any reference to cnn.com or bbc.com.
- All other requests can be resolved by having our DNS server query
outside DNS servers.
- Is this really necessary, given that we’re already blocking cnn.com
via packet filtering via its IP address?
- Do not allow any email (SMTP, IMAP, POP3) connections to the outside world.
- Maintain an in-country email server/forwarder.
- Scan email messages for unhappy topics.
- Bounce/drop email if unhappiness found.
- What about encrypted mail?
- What if the message is just an image?
- When an attempt to access unhappiness is found, what should we do?
- Is it enough to merely drop the packet, fail the connection, bounce the email?
- It might be better to alert the Ministry of Happiness, so that
the potentially unhappy citizen can be cheered up.
- But, how do we know which citizen is responsible?
- Allocate IP addresses from a single central authority.
- If anybody uses a IP address that wasn’t allocated by the central
authority, it will be rejected at the border.
- Keep track of who gets what.
- All IP packets contain a source IP address.
- Unhappy operations can now be traced back to the appropriate citizen.