19531 - Telematics - Freie Universität - Telematics 10th Tutorial - Internet Backbone Terminology,...
-
Upload
trinhkhanh -
Category
Documents
-
view
223 -
download
0
Transcript of 19531 - Telematics - Freie Universität - Telematics 10th Tutorial - Internet Backbone Terminology,...
19531 - Telematics10th Tutorial - Internet Backbone Terminology, Multicast, MPLS
Bastian Blywis
Department of Mathematics and Computer ScienceInstitute of Computer Science13. January, 2011
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 1
Outline
1. IPv6 Privacy
2. Problems of Internet Core Routing
3. Clarification of Internet Backbone Terminology
4. IP layer vs. Ethernet Multicast
5. IP layer Multicast
6. MPLS
7. BGP Metric
8. BGP and Security
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 2
IPv6 Privacy
IPv6 will be (probably) more persistent and each addresscontains an interface ID. Isn’t this a privacy issue? ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 3
IPv6 Privacy
IPv6 Privacy Concerns:– IPv6 address contains interface ID (MAC address)– User profiles can be created– Location of the user is traceable– RFC 3041 allows random identifiers with limited lifetime– Single network interface is assigned two global addresses
– derived from MAC for outbound connections– derived from random value for inbound connections
– Enabled by some operating systems as default,Linux = net.ipv6.conf.eth0.use tempaddr
– but: address is still a locator
Narten and Draves Privacy Extensions for Stateless Address Autoconfigurationin IPv6RFC 3041, 2001
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 4
Problems of Internet Core Routing
Read the article Towards A New Internet Routing Archi-tecture: Arguments for Separating Edges from TransitCore by Jen et al. presented at ACM HotNets 2008.
1. What is the default-free zone? Why do we needsuch part within the Internet?
2. What is the problem of current Internet corerouting?
3. Discuss the advantage and disadvantage ofprovider independent addresses.
4. Which service is required by current separationschemes?
?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 5
Problems of Internet Core Routing
– Default-free zone (DFZ) is the set of (Internet backbone) routers that operatewithout a default route
– Routing table size in the DFZ has been growing at an alarming rate– Conceptual reason: Routing tables of the transit core reflect edge networks– There two major (practical) reasons for the overflowing routing tables:
1. Awkward address allocation: Current address assignment schemes make it hard toaggregate multiple routes into a larger one, e.g., 192.0.2.0/24 and 192.0.3.0/24 couldonly be aggregated to 192.0.2.0/23 if they are topologically adjacent)
2. Site multi-homing: edge network’s address prefix(es) must be visible in the globalrouting table (no ISP can aggregate multi-homed edge network’s prefix into its ownaddress prefix)
– Provider-independent (PIs) addresses are used to realize multi-homing– PIs do not belong to a dedicated ISP, but are assigned directly to the edge network– Pro: Avoids address update when changing providers– Con: No aggregation within the DFZ per
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 6
Problems of Internet Core Routing
Problem: Solve conflict of provider-based address aggregation and edge networks’need for multi-homing
Common goal: Bring routing scalability under control by removing PI prefixes andde-aggregated provider-assigned (PA) addresses from the global routing system
Current solution space:Elimination Requires that edge networks take address assignments from their
providers– No PIs, multi-homed edge networks will use multiple PA
addresses internally and must modify end hosts to supportmulti-homing
Separation Separates edge networks from transit core– Control and management layer between edge networks and DFZ– Edge networks no longer participate in transit core routing nor
announce their prefixes into it– Requires a global mapping service that associates edge network
with transit core (nontrivial!)
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 7
Clarification of Internet BackboneTerminology
Explain the following terms:
1. Regional Internet Registry (RIR)
2. Internet Exchange Point (IXP)
3. Peering in the context of Internet routing
What are upstream, downstream and transit providers? ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 8
Clarification of Internet BackboneTerminology
– Regional Internet Registry (RIR), e.g., RIPE assigns IP prefixes– Internet Exchange Points (IXP) are public peering points for ISPs; reduces traffic
via upstream ISPs; no costs for traffic– Peering is the agreement to exchange traffic (without costs) between networks
owned by different entities– Upstream ISPs send traffic towards other ISPs– Downstream ISPs send traffic towards end customers (increasing IP prefix length)– Transit ISPs provide Internet connections only to other ISPs; they interconnects
ISPs (and not end users)– Tiers
– Tier 1 networks are transit-free– Tier 2 networks have to pay for some traffic– Tier 3 networks purchase transit from other networks
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 9
Clarification of Internet BackboneTerminology
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 10
IP layer vs. Ethernet Multicast
1. A source sends an IP multicast packet. Whathappens on the data link layer?Hint: Think about the destination MAC address.
2. Discuss if a switch, a hub, or both can implementefficient multicast delivery?
3. When the underlying hardware does not supportmulticast, IP multicast uses hardware broadcast fordelivery. Is there any advantage to using IPmulticast over such networks?
?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 11
IP layer vs. Ethernet Multicast
1. Mapping from layer 3 to layer 2– There is no ARP involved as the source does not know group members/receivers and
does not address known hosts– IP multicast address is mapped to Ethernet multicast address– Lower 23 bits (IPv4) or 32 bits (IPv6) of the layer 3 multicast group address are used– Collision of groups are possible and have to be handled in the network layer protocol– Examples
– IPv4IPv4 multicast prefix 224.0.0.0/4IPv4 multicast addresss 224.0.0.1Ethernet IPv4 multicast prefix 01:00:5e:00:00:00/25Ethernet multicast address 01:00:5e:00:00:01
– IPv6IPv6 multicast prefix ff00::/8IPv6 multicast addresss ffx2::11:22:33:44Ethernet IPv6 multicast prefix 33:33:00:00:00:00/16Ethernet multicast address 33:33:11:22:33:44
Deering Host Extensions for IP MulticastingRFC 1112, 1989
Crawford Transmission of IPv6 Packets over Ethernet NetworksRFC 2464, 1998
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 12
IP layer vs. Ethernet Multicast
2. Switch can support multicast on the data link layer– Hubs are not aware of any data link layer headers, they cannot implement (Ethernet)
multicast– Multicast-enabled switch needs to track IGMP/MLD packets to detect multicast receivers
(function is called “IGMP/MLD snooping”)– Violates the hierarchical network model (but that is not the first case)
3. Layer 2 without multicast support– Each switch has to flood the packets– Each station will receive all “multicast” packets– Yet the source has to sent each packet only once– Often still better than falling back to unicast (depends on total number of stations and
multicast receivers)
Christensen et al. Considerations for Internet Group Management Protocol(IGMP) and Multicast Listener Discovery (MLD) Snooping SwitchesRFC 4541, 2006
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 13
IP layer Multicast
1. Explain the difference between group managementand multicast routing.
2. Discuss why multicast applications do not use TCPas transport protocol.
3. A multicast receiver intends to inform a multicastsource about its service requirements (e.g., qualityof a transmitted video). Discuss if this is possible.
4. Over 50% of the Internet paths are asymmetric.Discuss why this a problem for multicast delivery incontrast to unicast. Hint: Think about treeconstruction and reverse path forwarding.
?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 14
IP layer Multicast
Management & Routing– Group management
– Implements join and leave maintenance of multicast receivers– Group management protocol is used between end hosts and their direct routers– Protocols:
– IPv4: Internet Group Management Protocol (IGMP)– IPv6: Multicast Listener Discovery (MLD)
– Multicast routing– Forwarding of multicast (data) packets between different multicast domains– Routing protocol is used between routers– Example protocols: PIM-SM and DVMRP
Multicast & TCP– Multicast source is not aware of multicast receivers– TCP is a connection-oriented protocol– TCP’s three-way handshake is not defined for a group of hosts
– In particular, it is not possible for dynamic groups– Is there a feedback channel from the multicast listener to the source? (see next slide)
– Multicast applications use UDP
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 15
IP layer Multicast
Feedback– Multicast group address abstracts data sources from hosts– Multicast source sends data– Multicast receiver listen to data– There is no feedback channel from the receiver to the source(s)
Problem of asymmetric Internet paths:– In contrast to unicast, multicast delivery paths will be constructed on demand (by
routers based on listener subscriptions)– Multicast forwarding state establishment (usually) follows shortest path from the
receiver to the source: Reverse Path Forwarding (RPF)– Established paths are ’optimal’ from the receiver point of view but multicast traffic
flows from source to group members
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 16
MPLS
1. Is it possible to determine if your ISP uses MPLS?(assume it is possible to transmit arbitrary packets.)
2. Can traceroute identify the complete path betweentwo hosts including the routers of the MPLSdomain? ?? ?
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 17
MPLS
– MPLS is used in dedicated domains– Forwarding within an MPLS domain is based on labels (not IP addresses)– MPLS is transparent for end devices– Hops in an MPLS domain are (often) not visible via IP traceroute
– disabled TTL propagation mode– TTL in IP header is not decremented per hop– ingress and egress router should at least decrement the TTL
– MPLS ingress routers can copy the IP TTL into the MPLS shim header– TTL propagation mode– MPLS TTL is decreased per hop– egress router copies MPLS TTL into IP TTL field– If TTL = 0 inside the tunnel, the packet is dropped
– No notification or– ICMP Time Exceeded packet is created and sent back to source
– Different behaviors in different MPLS domains– Question: MPLS tunnels can be unidirectional. How gets the ICMP Time
Exceeded back to the source?
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 18
BGP Metric
The Border Gateway Protocol applies the so called BestPath Algorithm. Explain how a BGP router determinesthe route when multiple paths are available. ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 19
BGP Metric
Important BGP Terminology
AS: Autonomous SystemASN: AS Number (2 or 4 byte)Prefix CIDR-Prefix of a networkAS PATH: Path to a specific prefix through one or more ASEGP: Exterior Gateway Protocol, protocol used for routing between AS
(BGP in this case)IGP: Interior Gateway Protocol, protocol used for routing inside an ASeBGP: external BGP, usage of BGP between routers in different ASiBGP: internal BGP, usage of BGP between routings inside the same ASRR: Route Reflector, collects routes learned via eBGP and propagates
them to all BGP routers inside the AS (resolves scaling issues)MED: Multi-Exit Discriminator, parameter to prioritize parallel paths to a
neighbor AS (for inbound traffic); value is only shared betweenneighbored AS
Local Preference Parameter to prioritize parallel paths to a neighbor AS (for outboundtraffic); value is propagated to other iBGP routers
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 21
BGP Metric
1. Prefer the path with the highest weight (Cisco-specific parameter)
2. Prefer the path with the highest local preference
3. Prefer the path that was locally originated via a network or aggregate BGPsubcommand or through redistribution from an IGP
4. Prefer the path with the shortest AS PATH
5. Prefer the path with the lowest origin type (IGP < EGP < incomplete)
6. Prefer the path with the lowest MED
7. Prefer eBGP over iBGP paths
8. Prefer the path with the lowest IGP metric to the BGP next hop
9. Prefer the route that comes from the BGP router with the lowest router ID (IPaddress)
In the real world, the selection process is even more complex.
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 22
BGP and Security
Watch the video on the following site YouTube Hijacking:A RIPE NCC RIS case study and discuss how secure theBorder Gateway Protocol is. ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 23
BGP and Security
Discuss the following issues:– What happened?– What has been the reason for the incident?– How did it affect the routing in the Internet?– Which countermeasures where applied?– Will such incidents repeat?
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 24
BGP and Security
BGP misconfiguration is very common!
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 25
BGP and Security
Figure: IPv4 “Bogon” Prefixes
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 26
BGP and Security
Figure: Maximum AS Path Lengths
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 27
BGP and Security
Further material:– BGPmon.net, a BGP monitoring and analyzer tool– Chinese ISP hijacks the Internet– Hijacking the Internet using a BGP MITM Attack (Defcon 16)– BGP Visualization
Institute of Computer Science – Telematics Tutorial – 13. January, 2011 28