-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tozi posting neka se razgleda kato dopylnenie na predishniate mi postingi na temata tunneli. V nego shte izpolzvam niakoi ot resheniata podadeni v RFC 1101 (malko starichko RFC, no dosta nepoznato po nashite zami... zashto li???)
Ako se nalaga da se praviat tunneli kato se operira samo s realni adresi prostranstva se poluchava chesto slednia efect. Ponezhe tunelnite prostranstva se ukazvat kato mrezhi sys 30-bitovi subnetni maski (okteten zapis 255.255.255.252) chesto nastypva obyrkvane koia mrezha ot kyde zapochva i kyde svyrshva. Za da ne se byrkate mozhete da izpolzvate syotvetnata za mrezhata vi in-addr.arpa zona za celta. * * * Shte vi pokazha kak stava tova pri nalichieto na mrezha ot class C i bezklasovo delegirani mrezhi. * * * 1. IN.ADDR.ARPA za mrezha ot class "C" Primerna shema: Shte razgledame mrezhata ot class C 192.168.1.0. Tazi in-addr.arpa domaina za syotvetnata mrezha e delegiran ot centralen register za 168.192.in-addr.arpa po slednia nachin: $ORIGIN 168.192.in-addr.arpa. 1 NS ns1.example.dom. NS ns2.example.dom. Administratoryt na syotvetnata mrezha obache e reshil da razdeli tazi mrezha na po-malki segmenti za razlichni celi. Naprimer za prostranstva za tunneli, podmrezhi i t.n... Naprimer, eto kak toi e strukturiral svoiata mrezha: 192.168.1.0/30 -> tunelno IP prostranstvo 192.168.1.4/30 -> tunelno IP prostranstvo 192.168.1.8/30 -> tunelno IP prostranstvo 192.168.1.12/30 -> tunelno IP prostranstvo 192.168.1.16/28 -> potrebitelska mrezha No.1 192.168.1.32/29 -> potrebitelska mrezha No.2 192.168.1.40/29 -> potrebitelska mrezha No.3 192.168.1.48/28 -> potrebitelska mrezha No.4 192.168.1.64/26 -> potrebitelska mrezha No.5 192.168.1.128/25 -> potrebitelska mrezha No.6 Nai-malkoto za da ulesni rabotata si, administratoryt mozhe da opishe mrezhite i mrezhovite maski v in-addr.arpa domaina. Po- dolu vi davam primer kak tova se pravi v zonata 1.168.192.in-addr.arpa: $TTL 86400 ; 1 day @ SOA ns1.example.dom. root.example.dom. ( 2003020902 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; minimum (1 day) ) NS ns1.example.dom. NS ns2.example.dom. 0 PTR net-address.example.dom. A 255.255.255.252 1 PTR host1.tunnel-1.example.dom. 2 PTR host2.tunnel-1.example.dom. 3 PTR broadcast.tunnel-1.example.dom. 4 PTR net-address.tunnel-2.example.dom. A 255.255.255.252 5 PTR host1.tunnel-2.example.dom. 6 PTR host2.tunnel-2.example.dom. 7 PTR broadcast.tunnel-2.example.dom. 8 PTR net-address.tunnel-3.example.dom. A 255.255.255.252 9 PTR host1.tunnel-3.example.dom. 10 PTR host2.tunnel-3.example.dom. 11 PTR broadcast.tunnel-3.example.dom. 12 PTR net-address.tunnel-4.example.dom. A 255.255.255.252 13 PTR host1.tunnel-4.example.dom. 14 PTR host2.tunnel-4.example.dom. 15 PTR broadcast.tunnel-4.example.dom. 16 PTR net-address.usernet-1.example.dom. A 255.255.255.240 ... ... ... 31 PTR broadcast.usernet-1.example.dom. 32 PTR net-address.usernet-2.example.dom. A 255.255.255.248 ... ... ... 39 PTR broadcast.usernet-2.example.dom. 40 PTR net-address.usernet-3.example.dom. A 255.255.255.248 ... ... ... 47 PTR broadcast.usernet-3.example.dom. 48 PTR net-address.usernet-4.example.dom. A 255.255.255.240 ... ... ... 63 PTR broadcast.usernet-4.example.dom. 64 PTR net-address.usernet-5.example.dom. A 255.255.255.192 ... ... ... 127 PTR broadcast.usernet-5.example.dom. 128 PTR net-address.usernet-6.example.dom. A 255.255.255.128 ... ... ... 255 PTR broadcast.usernet-6.example.com. Celta na tezi A zapisi (pone v nashia sluchai) e da pokazhe ot kyde zapochva dadena mrezha i kakva e neinata subnet maska. Tova mnogo pomaga v orientirovkata. Malko obiasnenia otnosno zapitvaniata... Ako napravite zapitvaneto dig @ns1.example.dom -t PTR 0.1.168.192.in-addr.arpa shte poluchite otgovor: [root@ns1 root]# dig @ns1.example.dom. -t PTR 0.1.169.192.in-addr.arpa ... ;; ANSWER SECTION: 0.1.168.192.in-addr.arpa. 86400 IN PTR net-address.tunnel-1.example.dom. ... Ako iskate da izvlechete A RR: [root@ns1 root]# dig @ns1.example.dom. -t A 0.1.169.192.in-addr.arpa ... ;; ANSWER SECTION: 0.1.168.192.in-addr.arpa. 86400 IN A 255.255.255.252 ... Taka i shte razberete, che raboti. Kogato iskate da proverite arhitekturata na vashata mrezha, mozhete da zadadete AXFR na zonata i da ia vidite v neinata cialost. Dosta e polezno i to v mnogo sluchai. Zabravete za paranoiata za zabrana na transfer na zoni in-addr.arpa. Mozhe da se dokazhe na 5 reda, che tova e absoliutno glupavo i nenuzhno. * * * 2. IN.ADDR.ARPA za bezklasovo delegirane Primerna shema: Klient e poluchil mrezhata 192.168.2.0/26 (okteten zapis na subnetnata maska 255.255.255.192). Delegianeto na domaina in.addr-arpa za tazi mrezha e izvyrsheno v zonata na domaina 2.168.192.in-addr.arpa po slednia nachin (za poveche podrobnosti vizh RFC 2317): ... ... 0 NS ns1.client.dom. NS ns2.client.dom. 1 CNAME 1.0 2 CNAME 2.0 ... ... ... 63 CNAME 63.0 ... ... Klientyt ot svoia strana e izgradil pri sebe si zona za domaina 0.2.168.192.in-addr.arpa i e napravil slednia mrezova arhitektura: 192.168.2.0/30 -> tunelno IP prostranstvo 192.168.2.4/30 -> tunelno IP prostranstvo 192.168.2.8/30 -> tunelno IP prostranstvo 192.168.2.12/30 -> tunelno IP prostranstvo 192.168.2.16/28 -> potrebitelska mrezha No.1 192.168.2.32/29 -> potrebitelska mrezha No.2 192.168.2.40/29 -> potrebitelska mrezha No.3 192.168.2.48/28 -> potrebitelska mrezha No.4 Sorcyt na zonata (sys sykrashtenia) e ot vida: $TTL 86400 ; 1 day @ SOA ns1.client.dom. root.client.dom. ( 2003020902 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 3600000 ; expire (5 weeks 6 days 16 hours) 86400 ; minimum (1 day) ) NS ns1.client.dom. NS ns2.client.dom. PTR net-address.client.dom. A 255.255.255.252 1 PTR host1.tunnel-1.client.dom. 2 PTR host2.tunnel-1.client.dom. 3 PTR broadcast.tunnel-1.client.dom. 4 PTR net-address.tunnel-2.client.dom. A 255.255.255.252 5 PTR host1.tunnel-2.client.dom. 6 PTR host2.tunnel-2.client.dom. 7 PTR broadcast.tunnel-2.client.dom. 8 PTR net-address.tunnel-3.client.dom. A 255.255.255.252 9 PTR host1.tunnel-3.client.dom. 10 PTR host2.tunnel-3.client.dom. 11 PTR broadcast.tunnel-3.client.dom. 12 PTR net-address.tunnel-4.client.dom. A 255.255.255.252 13 PTR host1.tunnel-4.client.dom. 14 PTR host2.tunnel-4.client.dom. 15 PTR broadcast.tunnel-4.client.dom. 16 PTR net-address.usernet-1.client.dom. A 255.255.255.240 ... ... ... 31 PTR broadcast.usernet-1.client.dom. 32 PTR net-address.usernet-2.client.dom. A 255.255.255.248 ... ... ... 39 PTR broadcast.usernet-2.client.dom. 40 PTR net-address.usernet-3.client.dom. A 255.255.255.248 ... ... ... 47 PTR broadcast.usernet-3.client.dom. 48 PTR net-address.usernet-4.client.dom. A 255.255.255.240 ... ... ... 63 PTR broadcast.usernet-4.client.dom. Prilicha na prednia sluchai e edno izkliuchenie!!! Vnimanie!!! TOVA E OSNOVNATA RAZLIKA MEZHDU DVATA SLUCHAIA I E DOBRE DA IA PROCHETETE V-N-I-M-A-T-E-L-N-O! Neka sega da izikskvame izvlichaneto na PTR resursen zapis za 0.2.168.192.in-addr.arpa. Shemata na izvlichane shte byde slednata: Shte byde zapitan registyra za 168.192.in-addr.arpa, posle shte ima zapitvane kym zonata na domaina 2.168.192.in-addr.arpa i ottam zapitvaneto shte byde izprateno kym zonata na domaina 0.2.168.192.in-addr.arpa. I tuk idva tykia moment. Zabelezhete kyde i kak e napraven PTR RR za 0.2.168.192.in-addr.arpa. Toi e napraven v headera na zonata (sravnete s prednia sluchai). Ako se napravi opisanieto 0 PTR net-address.client.dom. A 255.255.255.252 to niama da raboti. Tuk niakoi mozhe da kazhe "da, ama ako napravia 0 CNAME 0.0 v zonata ma domaina 2.168.192.in-addr.arpa ... ". Da, no obyrnete vnimanie, che taka shte se poluchi slednoto natrupvane na definicii 0 NS ns1.client.dom. 0 NS ns2.client.dom. 0 CNAME 0.0 koeto ne e syvsem korektno. * * * Tova shte se opitam da go sybera i doopravia v edna documentacia za da mozhe da e v chitaem i priaten za okoto vid, no tova shte se sluchi po- natatyk. Sega samo go napravih za da pomogna na tezi, koito cepiat mrezhite na mnogo submrezhi. * * * Vyzmozhno e mnogo clienti da sreshtnat nerazbirane po vyprosa ot strana na systemnite administratori na dostavchicite. Shte gi pomolia da mi pishat na lichnia e-mail za podobni sluchai. Pozdravi Vesselin Kolev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+R4vx+48lZPXaa+MRAryTAKD4KBN2ITy7Mnv68dqOsZCptpIIRACg/60K x37BrCovkMwH+XeWDhoE52Y= =iFib -----END PGP SIGNATURE----- ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================