AfNOG -> Workshops -> 2004 -> Track 1 - Scalable Internet Services -> Detailed Course Outline

AfNOG 2004 Workshop

Track 1 - Scalable Internet Services

This is part of the AfNOG 2004 Workshop, held in conjunction with the AfNOG meeting in Dakar, Senegal, in June 2004.

Day Organisation

Each day is divided into four slots of approximately two hours each. Classes start promptly at 08:45 and end at around 18:15 daily. There will be a one-hour break for lunch at around 13:00, and 15-minute breaks in mid-morning and mid-afternoon.

In addition to this detailed timetable you can see a summary timetable as well.

Monday morning 8:45am

Introduction and logistics -- Ayitey Bulley
FreeBSD Tutorial -- Hervey Allen, Joel Jaeggli
- FreeBSD Introduction Materials. This section includes:
  - Introduction
  - Why FreeBSD
  - Accounts information
  - Creating a user account for exim and yourself
  - Some basic FreeBSD commands
  - Post-installation configuration
  - Short example using FreeBSD commands
  - Getting FreeBSD 5.2.1 files and others
  - pkg_add: Adding packages or ports by hand
  - Network Information
  - ifconfig
  - rc.conf
  - Stopping and starting the network
  - Stopping and starting services
  - Installation Notes
  - Slices and partitions
  - Distribution sets
  - Quick installation guide (using CD-ROM)
  - The FreeBSD Directory Structure
  - A few differences from Linux

Monday morning 11:00am

DNS Section Materials. This section includes:
- DNS Session-1: DNS Fundamentals -- Ayitey Bulley and Alain Aina
  - Computers use IP addresses.
  - Why do we need names?
  - HOSTS.TXT (The old solution)
  - What was wrong with HOSTS.TXT
  - What is DNS?
  - Hierarchical Structure of DNS
  - Limitations on Domain Names
  - Using the DNS
  - Commonly seen Resource Records (RRs)
  - A Simple Example
  - Possible results from a Query
  - How do you use an IP address as the key for a DNS query
  - DNS is a Client-Server application
  - Three roles in DNS
  - Example: Unix resolver configuration
  - Testing DNS
  - The BIND dig utility
  - Understanding output from dig
  - Practical Exercise

Monday afternoon 2:00pm

DNS Session-2: DNS Caching Operation & DNS Debugging
- How Caching NS Works (1)
- How caching NS works (2)
- How does it know which auth nameserver to ask?
- Intermediate nameservers return "NS" resource records
- How does this process start?
- Where did named.root come from?
- Demonstration
- Distributed systems have many points of failure!
- A compromise policy
- What sort of problems might happen when a caching nameserver is operating?
- (1) One authoritative server is down or unreachable
- (2) *ALL* authoritative servers are down or unreachable!
- (3) Referral points to a nameserver which is not authoritative for this zone
- (4) Inconsistencies between authoritative servers
- (5) Inconsistencies in delegations
- (6) Mixing caching and authoritative nameservers
- (7) Inappropriate choice of parameters
- How to debug these problems?
- How to interpret responses
- How to debug problems using “dig +norec”
- Exercise on debugging a DNS domain using “dig +norec”

Tuesday morning 8:45am

DNS Session-2: DNS Caching Operation & DNS Debugging (Cont.)
- Building your own cache nameserver
- What sort of hardware would you choose when building a DNS cache?
- Improving the configuration
- Managing a caching nameserver
- Exercise on configuring a cache-only nameserver

Session-3: Configuring Authoritative Name Servers
- Recap
- DNS Replication
- Outside world cannot tell the difference between master and slave
- When does replication take place?
- Serial Numbers
- Serial Numbers: Danger 1
- Serial Numbers: Danger 2
- Configuration of Master
- Configuration of Slave
- Master and Slave
- Format of Resource Records
- Format of the SOA record
- Format of NS records
- Common DNS Operational and Configuration Errors
- 1. Serial number errors
- 2. Comments in zone files starting '#' instead of ';'
- 3. Other syntax errors in zone files
- 4. Missing the trailing dot
- 5. NS or MX records pointing to IP address
- 6. Slave cannot transfer zone from master
- 7. Lame delegation
- 8. No delegation at all
- 9. Out-of-date glue records
- 10. Not managing TTL correctly during changes

Tuesday morning 11:00am

Exercises 4 & 5 on configuring authoritative nameservers

Tuesday afternoon 4:00pm

Web/Proxy/SSL -- Joel Jaeggli and Patrick Okui
- Web/Proxy/SSL Materials
- Install OpenSSL
- Patch Apache source code with SSL patch
- Install Apache
- Generate new local SSL certificate

Tuesday evening - Optional sessions

FreeBSD tutorial (continued)

Wednesday morning

Web/Proxy/SSL -- Joel Jaeggli and Patrick Okui
- Configure Apache with basic configuration
- Start Apache httpsd daemon and connect to local box
- Verify local ssl certificate works
- Configuring Apache with SSL
- Example SSL Apache configuration file
- Sample config for Virtual Hosting

Wednesday afternoon

Mail/Exim -- Philip Hazel and Brian Candler
- Exim Materials
- POP3/Mail Materials - See below as well
Topics covered in this section
- Introduction to Internet Mail
  - Mail agents - MUA and MTA
  - Message format
  - Authentication
  - SMTP - Message in transit
  - Use of DNS for email
  - Delivering a message
  - Relay control
  - Policy control on email
- Installation of Exim and basic tests

Wednesday evening - Optional sessions

Squid
- Web/Proxy/SSL -- Joel Jaeggli and Patrick Okui
  - Discussion of Squid Caching Server
  - Installation of Squid
  - Step-by-step overview of squid.conf
- Squid Caching Continued -- Joel Jaeggli and Patrick Okui
  - Client Configuration for Proxy Server Use
  - Auto Discovery of Proxy in IE Issue
  - WPAD Expired RFC

Thursday morning

Mail/Exim -- Philip Hazel and Brian Candler
- Exim Routers and Transports configuration
  - Configuration file
  - Changing runtime configuraiton
  - Configuration file sections
  - Default configuration file layout
  - Common global options
  - Exim 4 routing
  - Simple routing configuration
  - Default routers
  - Default transports
  - Routing to smarthosts
  - Virtual domains
  - Access control lists
  - Good and bad relaying
  - Message filtering
  - Large installations
  - Separating mail functions
- Modify routing practical exercises

Thursday afternoon

Mail/Exim -- Philip Hazel and Brian Candler
- Access Control Lists
- Setting up a relaying host practical exercises

Thursday evening - Optional sessions 8:00pm - 10.00pm

Managing SPAM
Filtering unwanted E-mails
What are the main sources of junk E-mail?
What are the costs?
Where can you filter?
Legal problems with filtering
Ways to identify spam:
Exim implementation of SRS
Minimising the joe-jobs we relay
What should you do?

Friday morning

POP, IMAP and Web email servers -- Brian Candler
- POP3/Mail Materials
  - Mailserver scalability
    - Linear password files
    - Linear mbox files
    - Too many files in one directory
    - CPU limits
    - Disk performance
    - Keep your SMTP (smarthost) and POP3 services separate
  - Maildir and qmail-pop3d practical exercises
    - Reconfigure exim for Maildir delivery
  - Courier practical exercises
    - Install courier-imap
    - Configure the daemons
    - Start the daemons
    - pop3 and imap over SSL
POP, IMAP and Web email servers -- Brian Candler
- Sqwebmail practical exercises completion
- FreeBSD mailserver performance tuning
  - Increase kernel limits
  - Enable softupdates
  - Use SCSI disks
  - Spread mail directories across multiple disks
  - Put in as much RAM as possible
  - Use PCI cards, not ISA!
- Notes and Clustering and NFS
  - Using Network File System (NFS)
  - Using Proxies
  - Load balancing
  - Database
  - FreeBSD NFS

Friday afternoon

Security Issues - Hervey Allen, Brian Candler
- Security Section Materials
  - Authentication
  - Authorisation
  - Integrity
  - Confidentiality
  - Availability (DoS)
  - Host access controls
  - Network access controls
  - Attacks on the host vs. attacks no the network
  - smurf attacks
  - Some Available Resources
Cryptographic Methods
- Private key or symmetric ciphers
- Hashing or one-way encryption
- Integrity checks
- Generating encryption keys
- Public key ciphers
- Digital signatures
- Man in the middle attacks
- PGP and SSH notes
SSH Discussion - Security at the Application Layer
- known_hosts files and authorization
- Password challenge authentication
- RSA/DSA Private/Public Key generation
- Public/Private Key use with SSH
- ssh-agent and ssh-add
- Using tunnels with SSH

Return to AfNOG Workshop Main Page