**mac vs mac address**?

• MAC: Medium Access Control, also called Media Access Control

• MAC Address: Medium Access Control Address,

  • also known as hardware address, or physical address
  • a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment

layers are independent

Conceptually, left L2 is talking to right L2.

ipv4 classful addressing

Class A, class B, class C

Ref: https://www.wikiwand.com/en/Classful_network

ipv4 reserved ip address

• Class A

  • 0.0.0.0/8: Local network
  • 10.0.0.0/8: Private network
  • 127.0.0.0./8: Loopback of local host

• Class B

  • 169.254.0.0/16: Link-local address when no IP address is specified

    • 169.254.169.254/32: AWS EC2 Instance Metadata Service

  • 172.16.0.0/12: Private network

    • 127.31.0.0/16: AWS default VPC size

• Class C

  • 192.168.0.0/16: Private network

Ref:

• https://www.wikiwand.com/en/Reserved_IP_addresses
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#link-local-addresses

why nat?

• Overcome IPv4 shortages.
• Security: hide private IP

static nat maintains a nat table to map privateip : public ip (1:1)>

👉️ In AWS, Internet Gateway (IGW) is a static NAT.

dynamic nat maintains a nat table:

• Dynamic NAT maps PrivateIP : Public IP (1:1 first available).
• Public IP allocations are temporary allocations from a Public IP Pool, the pool may be out-of-public IPs.

pat records the source (private) ip and source port:

• PAT replaces the source IP with the single Public IP and a public source port
• The Public IP and public source port are allocated from a pool which allows IP Overloading (many to one)

in aws, nat gateway (natgw) is a pat.

nat vs pat

• NAT
• PAT: is a type of Dynamic NAT

Ref: https://techdifferences.com/difference-between-nat-and-pat.html

classless inter-domain routing (cidr)

A method for allocating IP addresses and for IP routing.

CIDR is introduced in 1993 to replace the previous classful network addressing architecture

See Classless Inter-Domain Routing (CIDR) | Wikipedia

subnetting

The process of spitting a larger network into more smaller subnets

ddos types:

• Layer 7:
  • HTTP Flood
  • DNS Fllod
• Layer 4:
  • (TCP) SYN Flood

what is a ddos attack?

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

what is vlan?

A way to divide a single physical network into multiple logical networks.

what does 802.1q do?

802.1Q allows multiple “VIRTUAL LANS (VLANS)” to operate over the same L2 physical network.

Each has a separate broadcast domain and is isolated from all others

what does 802.1ad do?

802.1AD (QinQ) allows ISPs or carriers to use VLANS across their network, while carrying customer traffic which might also be using multiple VLANs

how does 802.1ad (qinq) work?

It allows multiple VLAN tags to be added to a single Ethernet frame.

what are trunk port?

Trunk ports are a way to carry VLAN traffic between network switches

aspath prepending: make a path longer

connection and port

A connection has 2 parts:

• Request: From an ephemeral port - chosen by the client - (to a well-known port)
• Response: From the well-known port (to that ephemeral port)

stateless firewall

A Stateless Firewall

• examines each individual network packet in isolation
• makes decisions
  • based on predetermined rules
  • without any awareness of the state of the network connection

stateful firewall

A stateful firewall

• tracks the state of the network connections:
  • knows a response corresponding to which request
• make decisions based on these knowledge:
  • do some of the works for you

👉 If

• the request (no matter whether it’s inbound or outbound traffic) is allowed
• the response will be automatically allowed too

e.g. AWS security group

maximum transmission unit (mtu)

• Traditional Ethernet frames have a MTU of 1500 bytes.
• Jumbo Frames can allow for frames up to 9000 bytes.

layer 7 firewall

what does ip sec do?

IP Sec sets up secure tunnel across insecure networks.

signing

The practice of using asymmetric keys to verify the authenticity and integrity of data.

steganography

The practice of concealing information within another message or physical object to avoid detection.

hashing

The process of applying a hash function to data to produce a unique and irreversible representation of the original data.

hash function

Mathematical algorithms that transform input data into a fixed-length string of characters, called a hash or message digest.

note

To verify DNSSEC of a domain, you can use:

• dig: if there’s the flag ad
• delv
• Web Tools: DNS Viz, DNSSEC Debugger

what is a rrset?

A group of all the records with the same type ad same name

what is a rrsig?

A digital signature for a RRSET, signed by the private Zone Signing Key (ZSK).

what is zone signing key (zsk)?

Each zone has a ZSK, which is used to:

• sign 👈 the private ZSK
• verify 👈 the public ZSK

the RRSETs.

why the dnskey also has an rrsig?

Because someone can fake the DNSKEY too. 🤯

what is a ksk?

KSK is used to sign and verify the ZSK

why do we use separate zone-signing keys and key-signing keys?

The KSK is linked to the parent zone.

If we use a single key, changes to the ZSK would requires parent zone changes. 🐌🆘

By using 2 keys, we can change the ZSK as quired, without impacting parent zone. 🤳

what is ds record?

DS (Delegation Signer) Record, on a parent zone, contains a hash of the KSK in a child zone.

what is the basic structure of a k8s cluster?

A K8s cluster contains:

• Control Plane
• Worker Nodes

what is the control plane in k8s?

The control plane manages the overall state of the cluster

what is a worker node in k8s?

A worker node is the machine that actually run the containers

what are the core components of a worker node?

• kubelet

  • Ensures that Pods are running, including their containers.

• Container runtime

  • Software responsible for running containers.

• kube-proxy (optional)

  • Maintains network rules on nodes to implement Services.

what is the core component of control plane?

The core of Kubernetes’ control plane is

• the API server
• the HTTP API that it exposes, which is known as the Kubernetes API.

what does the kubernetes api do?

The Kubernetes API

• lets end users, different parts of your cluster, and external components communicate with one another.
• let you query and manipulate the state of API objects in Kubernetes (for example: Pods, Namespaces, ConfigMaps, and Events).

what is a `pod` in k8s?

In Kubernetes, a pod is the smallest unit of computing.

• In Docker, it’s the container.

what are the components of the control plane in k8s?

• kube-apiserver: The core component server that exposes the Kubernetes HTTP API
• etcd: Consistent and highly-available key value store for all API server data
• kube-scheduler: Looks for Pods not yet bound to a node, and assigns each Pod to a suitable node.
• kube-controller-manager: Core control loops of K8s: Runs controllers to implement Kubernetes API behavior.
• cloud-controller-manager (Optional): Integrates with underlying cloud provider(s).(AWS, Azure, GCP)

what is `kube-controller-manager`?

kube-controller-manager is the core control loops of K8s

• Watches the shared state of the cluster through the apiserver
• Makes changes attempting to move the current state towards the desired state

what is rpo?

Recovery Point Objective (RPO) is the maximum (amount of) data (in time) can be lost.

what is rto?

Recovery Time Objective (RTO) is the maximum of time that the system can be down.

when does rto begin and end?

RTO

• begins at at momne of failure
• ends when the system is operational (and handled back to business)

what need to be cautious about rto?

• How long until we know there is an issue?
• What is the issue?
• Do we need to restore a backup? How to restore the backup?