19531 - Telematics - Freie Universität - Telematics 10th Tutorial - Internet Backbone Terminology,...

19531 - Telematics10th Tutorial - Internet Backbone Terminology, Multicast, MPLS

Bastian Blywis

Department of Mathematics and Computer ScienceInstitute of Computer Science13. January, 2011

Institute of Computer Science – Telematics Tutorial – 13. January, 2011 1

Outline

1. IPv6 Privacy

2. Problems of Internet Core Routing

3. Clarification of Internet Backbone Terminology

4. IP layer vs. Ethernet Multicast

5. IP layer Multicast

6. MPLS

7. BGP Metric

8. BGP and Security


IPv6 Privacy

IPv6 will be (probably) more persistent and each addresscontains an interface ID. Isn’t this a privacy issue? ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 3

IPv6 Privacy

IPv6 Privacy Concerns:– IPv6 address contains interface ID (MAC address)– User profiles can be created– Location of the user is traceable– RFC 3041 allows random identifiers with limited lifetime– Single network interface is assigned two global addresses

– derived from MAC for outbound connections– derived from random value for inbound connections

– Enabled by some operating systems as default,Linux = net.ipv6.conf.eth0.use tempaddr

– but: address is still a locator

Narten and Draves Privacy Extensions for Stateless Address Autoconfigurationin IPv6RFC 3041, 2001


Problems of Internet Core Routing

Read the article Towards A New Internet Routing Archi-tecture: Arguments for Separating Edges from TransitCore by Jen et al. presented at ACM HotNets 2008.

1. What is the default-free zone? Why do we needsuch part within the Internet?

2. What is the problem of current Internet corerouting?

3. Discuss the advantage and disadvantage ofprovider independent addresses.

4. Which service is required by current separationschemes?

?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 5


– Default-free zone (DFZ) is the set of (Internet backbone) routers that operatewithout a default route

– Routing table size in the DFZ has been growing at an alarming rate– Conceptual reason: Routing tables of the transit core reflect edge networks– There two major (practical) reasons for the overflowing routing tables:

1. Awkward address allocation: Current address assignment schemes make it hard toaggregate multiple routes into a larger one, e.g., 192.0.2.0/24 and 192.0.3.0/24 couldonly be aggregated to 192.0.2.0/23 if they are topologically adjacent)

2. Site multi-homing: edge network’s address prefix(es) must be visible in the globalrouting table (no ISP can aggregate multi-homed edge network’s prefix into its ownaddress prefix)

– Provider-independent (PIs) addresses are used to realize multi-homing– PIs do not belong to a dedicated ISP, but are assigned directly to the edge network– Pro: Avoids address update when changing providers– Con: No aggregation within the DFZ per



Problem: Solve conflict of provider-based address aggregation and edge networks’need for multi-homing

Common goal: Bring routing scalability under control by removing PI prefixes andde-aggregated provider-assigned (PA) addresses from the global routing system

Current solution space:Elimination Requires that edge networks take address assignments from their

providers– No PIs, multi-homed edge networks will use multiple PA

addresses internally and must modify end hosts to supportmulti-homing

Separation Separates edge networks from transit core– Control and management layer between edge networks and DFZ– Edge networks no longer participate in transit core routing nor

announce their prefixes into it– Requires a global mapping service that associates edge network

with transit core (nontrivial!)


Clarification of Internet BackboneTerminology

Explain the following terms:

1. Regional Internet Registry (RIR)

2. Internet Exchange Point (IXP)

3. Peering in the context of Internet routing

What are upstream, downstream and transit providers? ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 8


– Regional Internet Registry (RIR), e.g., RIPE assigns IP prefixes– Internet Exchange Points (IXP) are public peering points for ISPs; reduces traffic

via upstream ISPs; no costs for traffic– Peering is the agreement to exchange traffic (without costs) between networks

owned by different entities– Upstream ISPs send traffic towards other ISPs– Downstream ISPs send traffic towards end customers (increasing IP prefix length)– Transit ISPs provide Internet connections only to other ISPs; they interconnects

ISPs (and not end users)– Tiers

– Tier 1 networks are transit-free– Tier 2 networks have to pay for some traffic– Tier 3 networks purchase transit from other networks


IP layer vs. Ethernet Multicast

1. A source sends an IP multicast packet. Whathappens on the data link layer?Hint: Think about the destination MAC address.

2. Discuss if a switch, a hub, or both can implementefficient multicast delivery?

3. When the underlying hardware does not supportmulticast, IP multicast uses hardware broadcast fordelivery. Is there any advantage to using IPmulticast over such networks?



1. Mapping from layer 3 to layer 2– There is no ARP involved as the source does not know group members/receivers and

does not address known hosts– IP multicast address is mapped to Ethernet multicast address– Lower 23 bits (IPv4) or 32 bits (IPv6) of the layer 3 multicast group address are used– Collision of groups are possible and have to be handled in the network layer protocol– Examples

– IPv4IPv4 multicast prefix 224.0.0.0/4IPv4 multicast addresss 224.0.0.1Ethernet IPv4 multicast prefix 01:00:5e:00:00:00/25Ethernet multicast address 01:00:5e:00:00:01

– IPv6IPv6 multicast prefix ff00::/8IPv6 multicast addresss ffx2::11:22:33:44Ethernet IPv6 multicast prefix 33:33:00:00:00:00/16Ethernet multicast address 33:33:11:22:33:44

Deering Host Extensions for IP MulticastingRFC 1112, 1989

Crawford Transmission of IPv6 Packets over Ethernet NetworksRFC 2464, 1998



2. Switch can support multicast on the data link layer– Hubs are not aware of any data link layer headers, they cannot implement (Ethernet)

multicast– Multicast-enabled switch needs to track IGMP/MLD packets to detect multicast receivers

(function is called “IGMP/MLD snooping”)– Violates the hierarchical network model (but that is not the first case)

3. Layer 2 without multicast support– Each switch has to flood the packets– Each station will receive all “multicast” packets– Yet the source has to sent each packet only once– Often still better than falling back to unicast (depends on total number of stations and

multicast receivers)

Christensen et al. Considerations for Internet Group Management Protocol(IGMP) and Multicast Listener Discovery (MLD) Snooping SwitchesRFC 4541, 2006


IP layer Multicast

1. Explain the difference between group managementand multicast routing.

2. Discuss why multicast applications do not use TCPas transport protocol.

3. A multicast receiver intends to inform a multicastsource about its service requirements (e.g., qualityof a transmitted video). Discuss if this is possible.

4. Over 50% of the Internet paths are asymmetric.Discuss why this a problem for multicast delivery incontrast to unicast. Hint: Think about treeconstruction and reverse path forwarding.


IP layer Multicast

Management & Routing– Group management

– Implements join and leave maintenance of multicast receivers– Group management protocol is used between end hosts and their direct routers– Protocols:

– IPv4: Internet Group Management Protocol (IGMP)– IPv6: Multicast Listener Discovery (MLD)

– Multicast routing– Forwarding of multicast (data) packets between different multicast domains– Routing protocol is used between routers– Example protocols: PIM-SM and DVMRP

Multicast & TCP– Multicast source is not aware of multicast receivers– TCP is a connection-oriented protocol– TCP’s three-way handshake is not defined for a group of hosts

– In particular, it is not possible for dynamic groups– Is there a feedback channel from the multicast listener to the source? (see next slide)

– Multicast applications use UDP


IP layer Multicast

Feedback– Multicast group address abstracts data sources from hosts– Multicast source sends data– Multicast receiver listen to data– There is no feedback channel from the receiver to the source(s)

Problem of asymmetric Internet paths:– In contrast to unicast, multicast delivery paths will be constructed on demand (by

routers based on listener subscriptions)– Multicast forwarding state establishment (usually) follows shortest path from the

receiver to the source: Reverse Path Forwarding (RPF)– Established paths are ’optimal’ from the receiver point of view but multicast traffic

flows from source to group members


MPLS

1. Is it possible to determine if your ISP uses MPLS?(assume it is possible to transmit arbitrary packets.)

2. Can traceroute identify the complete path betweentwo hosts including the routers of the MPLSdomain? ?? ?


MPLS

– MPLS is used in dedicated domains– Forwarding within an MPLS domain is based on labels (not IP addresses)– MPLS is transparent for end devices– Hops in an MPLS domain are (often) not visible via IP traceroute

– disabled TTL propagation mode– TTL in IP header is not decremented per hop– ingress and egress router should at least decrement the TTL

– MPLS ingress routers can copy the IP TTL into the MPLS shim header– TTL propagation mode– MPLS TTL is decreased per hop– egress router copies MPLS TTL into IP TTL field– If TTL = 0 inside the tunnel, the packet is dropped

– No notification or– ICMP Time Exceeded packet is created and sent back to source

– Different behaviors in different MPLS domains– Question: MPLS tunnels can be unidirectional. How gets the ICMP Time

Exceeded back to the source?


BGP Metric

The Border Gateway Protocol applies the so called BestPath Algorithm. Explain how a BGP router determinesthe route when multiple paths are available. ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 19

BGP Metric


BGP Metric

Important BGP Terminology

AS: Autonomous SystemASN: AS Number (2 or 4 byte)Prefix CIDR-Prefix of a networkAS PATH: Path to a specific prefix through one or more ASEGP: Exterior Gateway Protocol, protocol used for routing between AS

(BGP in this case)IGP: Interior Gateway Protocol, protocol used for routing inside an ASeBGP: external BGP, usage of BGP between routers in different ASiBGP: internal BGP, usage of BGP between routings inside the same ASRR: Route Reflector, collects routes learned via eBGP and propagates

them to all BGP routers inside the AS (resolves scaling issues)MED: Multi-Exit Discriminator, parameter to prioritize parallel paths to a

neighbor AS (for inbound traffic); value is only shared betweenneighbored AS

Local Preference Parameter to prioritize parallel paths to a neighbor AS (for outboundtraffic); value is propagated to other iBGP routers


BGP Metric

1. Prefer the path with the highest weight (Cisco-specific parameter)

2. Prefer the path with the highest local preference

3. Prefer the path that was locally originated via a network or aggregate BGPsubcommand or through redistribution from an IGP

4. Prefer the path with the shortest AS PATH

5. Prefer the path with the lowest origin type (IGP < EGP < incomplete)

6. Prefer the path with the lowest MED

7. Prefer eBGP over iBGP paths

8. Prefer the path with the lowest IGP metric to the BGP next hop

9. Prefer the route that comes from the BGP router with the lowest router ID (IPaddress)

In the real world, the selection process is even more complex.


BGP and Security

Watch the video on the following site YouTube Hijacking:A RIPE NCC RIS case study and discuss how secure theBorder Gateway Protocol is. ?? ?Institute of Computer Science – Telematics Tutorial – 13. January, 2011 23

http://www.ripe.net/news/study-youtube-hijacking.html

http://www.ripe.net/news/study-youtube-hijacking.html

BGP and Security

Discuss the following issues:– What happened?– What has been the reason for the incident?– How did it affect the routing in the Internet?– Which countermeasures where applied?– Will such incidents repeat?


BGP and Security

BGP misconfiguration is very common!


BGP and Security

Figure: IPv4 “Bogon” Prefixes


BGP and Security

Figure: Maximum AS Path Lengths


BGP and Security

Further material:– BGPmon.net, a BGP monitoring and analyzer tool– Chinese ISP hijacks the Internet– Hijacking the Internet using a BGP MITM Attack (Defcon 16)– BGP Visualization


http://bgpmon.net

http://bgpmon.net/blog/?p=282

http://www.securitytube.net/Hijacking-the-Internet-using-a-BGP-MITM-Attack-%28Defcon-16%29-video.aspx

http://www.ris.ripe.net/bgpviz/

The Last SlideTM

Thank you for your attention.Questions?


19531 - Telematics - Freie Universität - Telematics 10th Tutorial - Internet Backbone Terminology,...

Documents

Transcript of 19531 - Telematics - Freie Universität - Telematics 10th Tutorial - Internet Backbone Terminology,...