How is the global network in the Russian Federation organized and organized?

We all use the Internet - we sit in the social. networks, watch online movies, read news and even make purchases. But does everyone know how the Internet works and where does it come from? I'll tell you now.
Summary:


Internet is provided to us by providers, or rather third-level providers who organize local networks and provide connection services, they conclude an agreement with level 2 providers - these are usually “national” operators at the country level or group of countries in the region (a vivid example is Rostelecom or Transtelecom, which have their own connectivity across the CIS) - and those, in turn, receive the Internet from first-level providers - these are those on whom the Internet is supported, that is, inter-continental global operators with wholesale Coy (his usual) at the bottom of the oceans and terabits of traffic. They bear maximum expenses and have maximum incomes. Usually they work with clients through lower-level operators, but in exceptional cases (usually from hundreds of megabits) they sell traffic directly.

We conclude an agreement with the provider, after which he gives us a channel corresponding to the selected tariff, assigned to our agreement, together with all the data without which the provider does not have the right to provide us with the Internet. When connecting the machine to the Internet, the provider's DHCP server most often gives us dynamic global IPv6 IP addresses (if you did not request static IP addresses from it).

What is it for?


The IP address allows other computers on the network to communicate with yours. Send messages, share files and so on. Although, in fact, it is not so simple as it seems at first glance.
It can be local and global. A local address is issued, for example, by a router.

Go ahead, the Internet is distributed from one large channel between subscribers, it is implemented through a router and a NAT server (masquerade), that is, when traffic goes through a large channel to a subscriber, it goes to the router, which replaces the packet address on the fly with the address of the machine , from which the request came, also in the opposite direction.

We visit the site, but how is everything arranged under the hood?


All sites are located on servers, servers === are computers that have enough power to answer all requests, and have a special server OS, mainly Linux (ubuntu, debian, centOS), on which the server is running. The server is launched using software specifically designed for hosting sites. This is mainly Apache or Nginx. Computers do not have a graphical interface due to resource saving considerations. All work is done from the command line.

Such servers are located in special data centers, available in each country and region for several pieces. They are very well guarded and their work is monitored by experienced professionals who are also well monitored.

So, the server is running, the site is working, but that's not all. As I said, all computers have their own addresses, local and global, and the site has a 128-bit address, but we won’t contact him at this hard-to-remember address? Here that also DNS works. This system registers addresses in its database and assigns them a short name, for example google.ru.
The domain name system already operates with full names (Latin letters, numbers, dashes and underscores are allowed during their formation). They are much easier to remember, they carry a semantic load and it is easier to operate with them - instead of 209.185.108.134 we write google.ru in the address bar.
DNS systems are available in routers and at providers, which can substitute addresses if more relevant data is available.

SORM


We learned that the Internet gives us a provider, respectively, traffic passes through it. This is where the state comes in, demanding surveillance of Internet users. They install SORM systems at the provider, connect them to the switch, and traffic flows through them. These systems filter packages, site visits and God knows what else. They also have access to the provider's database. Depending on the type of system, it collects both the traffic of an individual and everyone in general.

In other countries, too, are monitoring citizens?


Yes, they are. Similar systems exist in other countries: in Europe - Lawful Interception (LI), certified by ETSI, in the USA - CALEA (Communications Assistance for Law Enforcement Act). The difference of our SORM is in the monitoring of the execution of functions. In Russia, unlike Europe and the USA, FSB officers must have a valid court order, but can connect to SORM equipment without presenting a warrant to the operator.

And now the technical details:
IP-address - a unique network address of a node in a computer network built on the basis of the TCP / IP protocol stack.

In version 6, the IP address (IPv6) is 128-bit. Within the address, the separator is a colon (e.g. 2001: 0db8: 85a3: 0000: 0000: 8a2e: 0370: 7334). Leading zeros are allowed to be omitted in the record. Zero groups in a row can be omitted, a double colon is put in their place (fe80: 0: 0: 0: 0: 0: 0: 1 can be written as fe80 :: 1). More than one such pass in the address is not allowed.

DHCP (Dynamic Host Configuration Protocol) is a network protocol that allows computers to automatically obtain the IP address and other parameters necessary for working on a TCP / IP network. This protocol works according to the client-server model. For automatic configuration, the client computer at the stage of configuration of the network device accesses the so-called DHCP server and receives the necessary parameters from it. The network administrator can specify the range of addresses distributed by the server among computers. This avoids manual configuration of network computers and reduces errors. DHCP is used on most TCP / IP networks.
DHCP is an extension of the BOOTP protocol that was previously used to provide diskless workstations with IP addresses when they boot. DHCP maintains backward compatibility with BOOTP.

DHCP ports - 67 - server, 68 - client.
The main protocol on the Internet is TCP:
TCP / IP - a network model for transmitting data presented in digital form. The model describes a method of transmitting data from an information source to a recipient. The model assumes the passage of information through four levels, each of which is described by a rule (transmission protocol). The sets of rules that solve the problem of data transfer make up a stack of data transfer protocols on which the Internet is based. The name TCP / IP comes from the two most important family protocols - Transmission Control Protocol (TCP) and Internet Protocol (IP), which were first developed and described in this standard. Also occasionally referred to as the Department of Defense (DOD) model due to its historical descent from the ARPANET network from the 1970s (managed by DARPA, US Department of Defense)
HTTP TCP port - 80, SMTP - 25, FTP - 21.

SORM


Also, providers have installed complexes for data collection. Here, in Russia, this is feed, in other countries - similar complexes, only with a different name and manufacturer.
IS SORM-3 is a software and hardware complex for collecting, accumulating and storing information about subscribers of telecom operators, static information about the services provided and payments. Access to the information stored in the system is provided to authorized employees of state bodies during the ORM on the networks of telecom operators through integration with the standard control center of the regional department of the FSB of Russia.

I will not show complex schemes, I'm sure nobody needs them. I can only say that they connect to the switch (snr 4550).

Network switch - a device designed to connect several nodes of a computer network within one or more network segments. The switch operates at the channel (second) level of the OSI model. The switches were designed using bridge technology and are often considered multiport bridges. Routers (OSI Layer 3) are used to connect multiple networks based on the network layer.
A router is a specialized computer that forwards packets between different network segments based on rules and routing tables. A router can connect heterogeneous networks of different architectures. To make decisions about forwarding packets, information about the network topology and certain rules set by the administrator are used.
It is widely practiced to split an IP-based network into logical segments, or logical subnets. To do this, each segment is allocated a range of addresses, which is specified by the network address and network mask. For example (in the CIDR record):


The main task of SORM is to ensure the security of the state and its citizens, which is achieved by selective control of the information being listened to. The development of SORM is carried out in accordance with the orders of the State Communications Committee, the Ministry of Communications and the Government of the Russian Federation, the purpose of which is to oblige telecom operators “to provide authorized state bodies engaged in operational-search activities or ensuring the security of the Russian Federation, information about users of communication services and the communication services rendered to them, as well as other information necessary to fulfill the tasks assigned to these bodies in cases established by federal laws. ”
SORM-2 - This is a system for tracking Russian Internet users. It is a device (server) that is connected to the equipment of the provider (telecom operator). The provider only includes it in its network and does not know about the goals and methods of listening, special services are involved in the management.

SORM-3 - what's new?


The main goal of SORM-3 is to obtain the most complete information about the user, not only in real time, but also for a certain period (up to 3 years). If SORM-1 and SORM-2 intercept information from the user, then SORM-3 does not contain such information, but only stores statistics, stores it and creates a person’s profile on the Internet. To accumulate such volumes of data, large storage systems will be used, as well as Deep Packet Inspection systems to filter out excess information (movies, music, games), which does not contain useful information for law enforcement agencies.

Go ahead, the Internet is distributed from one large channel between subscribers, it is implemented through a router and a NAT server (masquerade), that is, when traffic goes through a large channel to a subscriber, it goes to the router, which replaces the packet address on the fly with the address of the machine from which the request came.
NAT is a mechanism in TCP / IP networks that translates the IP addresses of transit packets. Also named IP Masquerading, Network Masquerading and Native Address Translation.

Address translation using NAT can be done by almost any routing device — a router [1], an access server, and a firewall. The most popular is SNAT, the essence of the mechanism of which is to replace the source address (source) when the packet passes in one direction and reverse the destination address (destination) in the response packet. Along with the source / destination addresses, the source and destination port numbers can also be replaced.
Receiving the packet from the local computer, the router looks at the destination IP address. If this is a local address, then the packet is forwarded to another local computer. If not, then the package must be sent out to the Internet. But the return address in the packet indicates the local address of the computer, which will not be accessible from the Internet. Therefore, the router “on the fly” translates (replaces) the return IP address of the packet to its external (visible from the Internet) IP address and changes the port number (to distinguish response packets addressed to different local computers). The router needs the combination necessary for backward substitution in its temporary table. Some time after the client and server finish exchanging packets, the router will delete the record on the nth port in its table from the statute of limitations.

In addition to source NAT (providing users with a local network with internal Internet access addresses) destination NAT is also often used when external calls are transmitted by a firewall to a user's computer on a local network that has an internal address and therefore is not directly accessible from the outside (without NAT).
There are 3 basic concepts of address translation: static (Static Network Address Translation), dynamic (Dynamic Address Translation), masquerade (NAPT, NAT Overload, PAT).
Static NAT - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Especially useful when the device should be accessible from outside the network.
Dynamic NAT - Displays an unregistered IP address to a registered address from a group of registered IP addresses. Dynamic NAT also establishes a direct mapping between unregistered and registered addresses, but the mapping may vary depending on the registered address available in the address pool during communication.
Congested NAT (NAPT, NAT Overload, PAT, masquerading) is a form of dynamic NAT that maps multiple unregistered addresses to a single registered IP address using different ports. Also known as PAT (Port Address Translation). When overloaded, each computer in the private network is translated to the same address, but with a different port number. The NAT mechanism is defined in RFC 1631, RFC 3022.

NAT Types


A NAT classification commonly found in connection with VoIP. [2] The term “connection” is used to mean “serial exchange of UDP packets”.
Symmetric NAT (Symmetric NAT) - broadcast, in which each connection initiated by a pair of "internal address: internal port" is converted into a free unique randomly selected pair of "public address: public port". However, initiating a connection from the public network is not possible. [source not specified 856 days
Cone NAT, Full Cone NAT - Unambiguous (mutual) translation between the pairs “internal address: internal port” and “public address: public port”. Any external host can initiate a connection to the internal host (if allowed by the firewall rules).
Address-Restricted cone NAT, Restricted cone NAT - Permanent broadcast between the pair “internal address: internal port” and “public address: public port”. Any connection initiated from an internal address allows it to receive packets from any port of the public host to which it sent packet (s) earlier.
Port-Restricted cone NAT - Translation between the pair “internal address: internal port” and “public address: public port”, in which incoming packets go to the internal host from only one port of the public host - the one to which the internal host has already sent the packet.

Benefits


NAT performs three important functions:
Saves IP addresses (only when using NAT in PAT mode) by translating several internal IP addresses to one external public IP address (or several, but fewer than internal ones). Most networks in the world are built on this principle: 1 public (external) IP address is allocated to a small area of ​​the local provider’s home network or office, for which interfaces with private (internal) IP addresses work and access.
Allows you to prevent or limit access from the outside to the internal hosts, leaving the possibility of access from the inside to the outside. When a connection is initiated from within the network, a broadcast is created. The response packets coming from outside correspond to the created broadcast and therefore are skipped. If for packets arriving from outside, the corresponding translation does not exist (and it can be created when the connection is initiated or static), they are not skipped.
Allows you to hide certain internal services of internal hosts / servers. In fact, the same translation above is performed on a specific port, but it is possible to replace the internal port of the officially registered service (for example, the 80th TCP port (HTTP server) to the external 54055th). Thus, from the outside, on the external IP address after translating the addresses to the website (or forum) for knowledgeable visitors, it will be possible to get to example.org : 54055, but on the internal server located behind NAT, it will work on the usual 80th the port. Improving security and hiding "non-public" resources.

disadvantages


Old protocols. Protocols developed before the mass adoption of NAT are unable to work if there is address translation between the interacting hosts. Some firewalls that translate IP addresses can correct this drawback by appropriately replacing IP addresses not only in IP headers, but also at higher levels (for example, FTP protocol commands). See Application-level gateway.
User identification. Due to the translation of many-to-one addresses, additional difficulties arise with the identification of users and the need to store full broadcast logs.
The illusion of a DoS attack. If NAT is used to connect many users to the same service, this can cause the illusion of a DoS attack on the service (many successful and unsuccessful attempts). For example, an excessive number of ICQ users per NAT leads to a problem connecting some users to the server due to exceeding the permissible connection speed. A partial solution to the problem is to use the address pool (address group) for which translation is being performed.
Peer-to-peer networks. In NAT devices that do not support Universal Plug & Play technology, in some cases, additional configuration is required (see Port-to-Address Translation) when working with peer-to-peer networks and some other programs in which it is necessary not only to initiate outgoing connections, but also accept Inbox
NAT is present in all routers and server OSes in one form or another. In routers, this is usually called port forwarding, in Linux iptables, on Windows servers - in a special snap. Now let's talk about the different types of NAT.
Static NAT is not required at home, but is needed if the provider has allocated several IP addresses (external or "white" addresses) for your company, and you need some servers to be always visible from the Internet, while their addresses would not change .
Those. Address translation 1-1 occurs (one external IP is assigned to one internal server). With this setting, your servers will always be accessible from the Internet on any port.
Speaking of ports, I’ll try to delve somewhat into this topic, but not too much. The fact is that any service, any program accesses a computer, server, router or service (whether it is mail, a web page or any other service) not only by IP address, but also by port. For example, to open google.com from your computer, you need to enter two things: IP address (DNS name) and ... port.
But wait, you are outraged, because you do not enter any port and everything opens perfectly!
So what's the matter with statics?

The fact is that, no, the port does not hide in the DNS record, as some might think, your browser itself substitutes this port in the address bar for you. You can easily check it. Enter google.com:80 in the address bar and you will see that the Google page has opened, but the magic ": 80" has suddenly disappeared.

So, in order for Internet users to see you and be able to connect to you, they must know two things: your IP address and your port on which your service is located.

With static NAT, it will be purple which port the server or program is using, because the server becomes fully accessible from the Internet. To already limit the ports used, a firewall is configured on this server.
If you draw a parallel, then the IP address is the address of your home, and the port is the number of your apartment. So that people can get to you, they need to know these two things, otherwise they simply will not find you.

Static NAT Scheme

For example, the provider gave you four IP addresses 87.123.41.11, 87.123.41.12, 87.123.41.13, 87.123.41.14, and you have three servers and a router. You assign the router, for example, the first address in this range (87.123.41.11), and divide the rest between the servers (server 1 - .12, server 2 - .13, server 3 - .14).

So that users from the Internet can connect to these servers, it will be enough for them to enter the external IP addresses of the servers. For example, when a user connects to the address 87.123.41.12, the router redirects it to server 1 and the user already communicates with the server, although he does not know that the real server address is actually different (192.168.1.2). Such an entry in the NAT table of the router will always be stored.
The advantages of this method:

  • real server addresses will be hidden
  • Your servers will always be visible on the Internet.

Disadvantages:

  • Attackers can try to break through them or carry out any attacks
  • Several external addresses are required, which can be costly.
Dynamic NAT differs slightly from static NAT . It is used almost as well, but with the only exception that your servers are not visible from the Internet, but the servers themselves need this Internet. Its essence is that you are also given several external IP addresses from the provider, after which the router itself distributes the addresses between the “needy” ones.

Those. as soon as the server or computer wants to connect to the Internet, the router looks at its list of external addresses issued by the provider and gives one address from this list, while noting that it has given such and such an external address to such a server or computer (NAT table )

At the same time, the lifetime of such a record lasts a very short time, and as soon as the server / computer has ceased to require Internet access, this address is deleted from the NAT table of the router.
A significant drawback is that the number of servers and computers that need access to the Internet should not greatly exceed the number of external addresses issued by the provider.

ROUTING


Provider routers have a routing table - a spreadsheet (file) or a database stored on a router or network computer that describes the correspondence between destination addresses and interfaces through which a data packet should be sent to the next router , it selects the best transport layer routes for your packets from the server to your PC or smartphone. Remember our favorite OSI?

The transport layer of the model is designed to ensure reliable data transfer from sender to receiver. At the same time, the level of reliability can vary widely. There are many classes of transport layer protocols, ranging from protocols that provide only basic transport functions (for example, data transmission functions without receiving acknowledgment), and ending with protocols that guarantee delivery of several data packets in the proper sequence to the destination, multiplex several data streams, provide data flow control mechanism and guarantee the reliability of the received data. For example, UDP is limited to data integrity monitoring within a single datagram and does not exclude the possibility of losing the entire packet or duplicating packets, violating the order of receiving data packets; TCP provides reliable continuous data transfer, eliminating data loss or violating the order of their arrival or duplication, can redistribute data by breaking large chunks of data into fragments and vice versa, gluing fragments into one packet.

The router selects the best route and saves it in the packet name, then the packet acts on the specified route.

The route is a sequence of network addresses of network nodes that the router has selected according to its table as the shortest between the car and the server.

So all packages have a lifetime, in case they get lost:

TTL concept


Imagine that you are 5 years old and you want to eat. You go to dad and say, "Dad, I want to eat." Your dad watches TV and according to the routing table he sends you to mom. You go to her and ask, "Mamaaa, I want to eat." . , , , -, -, ( ) . TTL (Time To Live), , «**» . , ( – « »), , . icmp- « ».

Source: https://habr.com/ru/post/470277/


All Articles