Basic networking 07-2012
180
-
Upload
samuel-dratwa -
Category
Technology
-
view
5.753 -
download
2
description
OSI 7 layer model. Basic networking. Everything you need to know - very high level. With an emphasis on TCP/IP
Transcript of Basic networking 07-2012
2
What are we selling?
It’s all about customer satisfaction
customer satisfaction !
Introduction What is a network
OSI 7 layer model The physical layer and the date link layer The network layer – IP The transport layer The application (and session and presentation
layer) End to end – full stuck Advanced issues
Security MPLS Signaling
Agenda
3
Networking
Communication between two or more devices.
Parts required for Networking: Host
Computer, networked printer, etc. Sends/receives data for network to card
Card Every card on a network has to have a unique
address Card breaks outgoing data into packets and
addresses them Card receives packets addressed to it and re-
assembles packets to data Wire
Transmits packets across network For this discussion includes all wires, radios and
devices between network cards (including hubs, switches, access points, etc.)
5 Basic Components
Every communication system has 5 basic requirements• Data Source (where the data originates)• Transmitter (device used to transmit data)• Transmission Medium (cables or non cable)• Receiver (device used to receive data)• Destination (where the data will be placed)
NETWORKS: categorized by size
• LAN – a network that connects computers in a limited geographical area.
• MAN – a backbone that connects LANs in a metropolitan area such as a city and handles the bulk of communications activity across that region.
• WAN – covers a large geographical area such as a city or country. Communication channels include telephone lines, Microwave, satellites, etc.
• PAN
What is a standard ?
A standard specification is an explicit set of requirements for an item, material, component, system or service. It is often used to formalize the technical aspects of a procurement agreement or contract.
A technical standard is an established norm or requirement about technical systems. It is usually a formal document that establishes uniform engineering or technical criteria, methods, processes and practices. In contrast, a custom, convention, company product, corporate standard, etc. which becomes generally accepted and dominant is often called a de facto standard.
7
Why do we need standards ?
8
InteroperabilityInteroperability
Standards bodies
9
IMT-Advanced
802.X – LAN/WLAN
OSI 7 Layer Model
OSI - Open Systems Interconnection (Basic Reference Model)
Each level is an independent set of protocols
Each level can be change seamlessly
Application
Presentation
Session
Transport
Network
Data Link
Physical
5 Layer model
Application
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
OSI Layers
12
OSI Model
Data unit Layer Function
Data
7. Application Network process to application
6. Presentation Data representation, encryption and decryption
5. Session Interhost communication
Segments 4. Transport End-to-end connections and reliability, Flow control
Packet 3. Network Path determination and logical addressing
Frame 2. Data Link Physical addressing
Bit 1. Physical Media, signal and binary transmission
Going from layer 7 to 1: All People Seem To Need Data Processing
read(s1, dataBlock)
Transport (TCP)
Network (IP)
Link (WLAN)
Web serverSamuel
Web Site
send(s2, dataBlock)
1 2 3 4 5
1 2 3 4 5
1 2 3 4 5
Network (IP)
Link
1 2 3
1 2 3
Transport (TCP)
Browser
1 2 3 4 5
Network (IP)
Link (WLAN)
Physical
Router
1 2 3
1 2 3 4 5
1 2 3 4 5
PhysicalPhysical
The flow
5 Layer model (TCP/IP)
Application – Represent the end user and the application he use (mail, browse, FTP, etc.)
Transport - end-to-end message transfer, along with error control, fragmentation and flow control.
Network (AKA Internet) – responsible on getting packets of data from source to destination.
Link - processes of transmitting receiving packets on a given link layer
Application
Transport - TCP
Network - IP
Link
Layer1: Physical Layer
15
Layer1: Physical Layer
The Physical Layer defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a physical medium.
This includes the layout of pin, voltages, cable specification, hubs, repeaters, network adapters, host bus adapters, and more.
Wire types Co-Ax
Composed of: Core, insulation, shielding,
insulation 10 Mb only 10Base5 “Thicknet”
500 meters 10Base2 “Thinnet”
200 meters
Twisted Pair 10/100/1000 Mb 100 meters between devices CAT3, CAT5, CAT5e, CAT6,
CAT6e
Wire Types (cont.) Fiber
10/100/1000/10,000 Mb Multi-mode – Long Haul (20 km) Single-mode – “Short Haul” (3
Km) what we use Carries light, not electricity
Wireless Speeds 11/7 Mb, 54/27Mb Because of encryption and
connection upkeep, available bandwidth is about ½ of stated speed
Common “mediums” InfraRed (IR) Microwave, (long distances) Radio
Licensed/private Un-licensed (802.11b/g/a)
Twisted Pair Cables
19
• Unshielded Twisted Pair Cable (UTP)• most popular• maximum length 100 m• more susceptible to noise
• EIA/TIA 568 Commercial Building Wire Standard
Category 1Category 2Category 3Category 4Category 5Category 6
Voice transmission of traditional telephoneFor data up to 4 Mbps, 4 pairs full-duplexFor data up to 10 Mbps, 4 pairs full-duplexFor data up to 16 Mbps, 4 pairs full-duplexFor data up to 100 Mbps, 4 pairs full-duplexFor data up to 1000 Mbps, 4 pairs full-duplex
Shielded Twisted Pair Cable (STP)
20
• Shielding to reduce crosstalk• Crosstalk: signal from one line getting mixed with signals from
another line
• Connector• RJ-45 computer connector (8 wires)
Pin T568A T568B1 Rx+ Tx+
2 Rx- Tx-
3 Tx+ Rx+
4 Unused Unused
5 Unused Unused
6 Tx- Rx-
7 Unused Unused
8 Unused Unused
Straight and Cross connections
21
T568A T568B
Cross-over cable
Case 1
Case 2
T568B
T568B
Straight through cable
Case 3
Hub
Straight through cable
Cross-over cableWall plate
Examples
22
Layer 2: Data Link Layer
23
Layer 2: Data Link Layer
24
The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer.
Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system.
The data link layer is divided into two sub-layers by IEEE.
Layer 2: MAC & LLC
25
Layer 2 sub-layers : Media Access Control (MAC) Logical Link Control (LLC).
MAC is lower sub-layer, and it defines the way about the media access transfer, such as CSMA/CD/CA(Carrier Sense Multiple Access/Collision Detection/Collision Avoidance)
LLC provides data transmission method in different network. It will re-package date and add a new header.
The Channel Access Problem
26
Multiple nodes share a channel
Pairwise communication desired Simultaneous communication not possible
MAC Protocols Suggests a scheme to schedule communication
Maximize number of communications Ensure fairness among all transmitters
AA CCBB
The Trivial Solution
27
Transmit and pray Plenty of collisions --> poor throughput at high load
AA CCBB
collision
The Simple Fix
28
Transmit and pray Plenty of collisions --> poor throughput at high load
Listen before you talk Carrier sense multiple access (CSMA) Defer transmission when signal on channel
AA CCBB
Don’ttransmitDon’t
transmit
Can collisions still occur?Can collisions still occur?
CSMA collisions
29
Collisions can still occur:Propagation delay non-zero between transmitters
When collision:Entire packet transmission time wasted
spatial layout of nodes
note:Role of distance & propagation delay in determining collision probability
CSMA/CD (Collision Detection)
30
Keep listening to channel While transmitting
If (Transmitted_Signal != Sensed_Signal) Sender knows it’s a Collision ABORT
2 Observations on CSMA/CD
31
Transmitter can send/listen concurrently If (Transmitted - Sensed = null)? Then success
The signal is identical at Tx and Rx Non-dispersive
The TRANSMITTER can detect if and when collision occurs
The TRANSMITTER can detect if and when collision occurs
Unfortunately…
32
Both observations do not hold for wireless
Because …
Wireless Medium Access Control
33
A B
C D
Distance
Signalpower
Wireless Media Disperse Energy
34
A B
C D
Distance
Signalpower
A cannot send and listen in parallel
Signal not same at different locations
IEEE 802.11
35
CTS = Clear
To Send
RTS = Request
To Send
D
Y
S
M
K
RTS
CTS
X
IEEE 802.11
36
D
Y
S
X
M
Ksilenced
silenced
silenced
silencedData
ACK
Ethernet Frame Format
37
• Preamble: For synchronization
• Des. Add: Destination address
• Sour. Add: Source address
• FCS: Frame Check Sequence
Preamble Des. Add Sour. Add Type Data FCS
8 Bytes 6 Bytes 6 Bytes 2 Bytes
46 - 1500 Bytes 4 Bytes
A frame is the unit of transmission in a link layer protocol, and consists of a link-layer header followed by a packet. MAC Addresses are 48-bit (6 byte) identifiers unique to each NIC. EtherType (2 byte/16-bit) describes which protocol is encapsulated in the frame data – IPv4, IPv6, IBoE, FCoE, etc. (http://standards.ieee.org/regauth/ethertype/eth.txt)
Ethernet II (DIX) Framing
There is a “small problem”
39
IEEE 802.3 Frame Format
Preamble Des. Add Sour. Add Length Data FCS
7 Bytes
2/6 Bytes
2/6 Bytes
2 Bytes
46 - 1500 Bytes 4 Bytes
1 Byte
MAC Addresses are 48-bit (6 byte) identifiers unique to each Network Interface. • Individual/Group Address Bit• Universally/Locally administered address bit • Organizationally unique identifier (OUI, a 22-bit field assigned by the IEEE)
(bits 3-24) • NIC-specific unique address (OUA, a 24-bit number assigned by the
manufacturer)
MAC Header, Source/Destination addresses
Large networks can be separated into two or more smaller networks using a bridge. This is done to increase speed and efficiency. This type of network is called a segmented LAN and has largely been superseded by the use of switches which can transfer data straight to a computer and thus avoid bottleneck jams which bridges were designed to fix.
Bridge
Bridge
Often used to connect a LAN with a WAN. Gateways join two or more different networks together.
Gateway
Gateway
Repeater
44
Signal attenuation is corrected by repeaters that amplify signals in physical cabling.
Repeaters are part of the network medium (Layer 1). In theory, they are dumb devices functioning
entirely without human intervention. However, some repeaters now offer higher-level services to assist with network management and troubleshooting.
45
Layer 3: Network Layer (IP)
Layer 3: Network Layer
46
The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer.
Layer 3: Network Layer
47
The Network Layer performs network routing functions, perform fragmentation and reassembly, report delivery errors.
Routers operate at this layer—sending data throughout the extended network and making the Internet possible.
IP v.4 header
Version (4 bits) – 6 or 4 Hlen (4 bits) - Header length in 32 bit words,
without options (usual case) = 20 Type of Service (TOS 8 bits): now being used for
QoS Total length (16 bits) - length of datagram in bytes,
includes header and data Time to live (TTL 8bits) - specifies how long
datagram is allowed to remain in internet (how many hops)
Protocol (8 bits) - specifies the format of the data area Protocol numbers administered by central authority to
guarantee agreement, e.g. TCP=6, UDP=17 …
49
IP Address
Unique addresses in the world An IP address is 32 bits, noted in dotted
decimal notation: 192.78.32.2
Host and Prefix Part An IP address has a prefix and a host part:
prefix:host
Prefix identifies a subnetwork used for locating a subnetwork – routing
Prefix is usually identified in a host using a “subnet mask”
Using a mask: address + mask
the mask is the dotted decimal representation of the string made of : 1 in the prefix, 0 elsewhere
bit wise address & mask gives the prefix example 1: 128.178.156.13 mask
255.255.255.0 here: prefix is 128.178.156.0
example 2: 129.132.119.77 mask 255.255.255.192 Q1: what is the prefix ? Q2: how many host ids can be allocated ?
Address + Mask (example 2)
129.132.119.77 mask 255.255.255.192▪ Q1: what is the prefix ? A: 129.132.119.64
Q2: how many host ids can be allocated ? ▪ A: 64 (minus the reserved addresses: 62)
1000 0001 1000 0100 0111 0111 0100 1101
1111 1111 1111 1111 1111 1111 1100 0000
129
255
132
255
119
255 192
77
64 addresses
26 6
1000 0001 1000 0100 0111 0111 0100 0000
129 132 119 64
53
54
Private networks
55
The maim problem
Cisco movie
56
57
Major Changes and Additions in IPv6
● Larger Address Space: Addresses are 128 bits long instead of 32 bits.
● Hierarchical Assignment of Addresses: Allows for multiple levels of network and subnetwork hierarchies both at the ISP and organizational level.
● Better Support for Non-Unicast Addressing: Support for multicasting is improved, and new type of addressing: anycast addressing.
● Auto-configuration and Renumbering: auto-configuration of hosts and renumbering of the IP addresses in networks and subnetworks as needed.
● New Datagram Format: The main header of each IP datagram has been streamlined, and support added for easily extending the header for datagrams requiring more control information.
● Improved Support for Quality of Service and Security● Updated Fragmentation and Reassembly Procedures:
fragmentation and reassembly of has been changed, IPv6 improve efficiency of routing.
● Modernized Routing Support: The IPv6 protocol support modern routing systems, and to allow expansion as the Internet grows.
IP v.4 header
Version (4 bits) – 6 or 4 Hlen (4 bits) - Header length in 32 bit words,
without options (usual case) = 20 Type of Service (TOS 8 bits): now being used for
QoS Total length (16 bits) - length of datagram in bytes,
includes header and data Time to live (TTL 8bits) - specifies how long
datagram is allowed to remain in internet (how many hops)
Protocol (8 bits) - specifies the format of the data area Protocol numbers administered by central authority to
guarantee agreement, e.g. TCP=6, UDP=17 … 59
IP v.6 header
Version (4 bits) – 6 or 4 Traffic Class (8 bits) - traffic priority delivery value. Flow Label. 20 bits.
Used for specifying special router handling from source to destination(s) for a sequence of packets.
Payload Length (16 bits) - Specifies the length of the data
Hop Limit (8 bits) - the same as TTL in the IPv4 Source address. 16 bytes. Destination address. 16 bytes.
60
61
IPv6 address – 128 bit
IPv6 address is made of two parts: prefix and suffix (I.e interface-ids)
and hierarchical structure (that depends on format prefix, FP) prefix:
suffix:
Link-local address (mandatory) is unique within a "link".
64 bits suffix
64 bits prefix
FP TLA NLA SLA
Interface ID
64 bits suffix
54' 0 'bits1111111010
FP – Format prefixTLA - Top-Level Aggregators NLA - Next-Level Aggregators SLA – Service level Agreements
62
IPv6 Autoconfiguration and Renumbering
RFC 2462, IPv6 Stateless Address Autoconfiguration. IPv6 includes stateless address autoconfiguration feature, which
allows a host to determine its own IPv6 address from its Layer 2 address.
The concept: A device generates a temporary address until it can determine the characteristics of the network it is on. Then creates a permanent address it can use based on that information. In the case of multi-homed devices: Autoconfiguration is
performed for each interface separately
Stateless address autoconfigurationNo central server needed to aid in address configuration Node forms its own suffix, checks if it is uniqueNode obtains prefix(es) from the nearest router
Stateful address autoconfiguration
Central server allocates full addresses to nodes on requestDHCPv6 is the current protocol for stateful address autoconfiguration
63
IPv6 Extended Unique Identifier (EUI-64)
RFC 2464 IPv6 link-local addresses and statelessly autoconfigured
addresses on Ethernet networks used in Router Solicitation, Router Advertisement, Neighbor
Solicitation, Neighbor Advertisement and Redirect messages
48-bit MAC address
64-bit IPv6 EUI
IPv6 address Types
64
Unicast (1:1)
Anycast addresses : nearest node of a set of nodes
currently only used to address routers
Multicast (1:n) communicate group of computers
No more broadcast in use
communicate specified one computer
RFC 4291 currently specifies the following restrictions on anycast addresses: An anycast address must not be used as the source address of a packet.Any anycast address can only be assigned to a router
65
Representation of IPv6 addresses
Colon hexadecimal notation - 805B:2D9D:DC28:0000:0000:FC57:D4C8:1FFF
Leading zeroes can be suppressed in the notation 805B:2D9D:DC28:0:0:FC57:D4C8:1FFF Zero Compression in IPv6 Addresses
805B:2D9D:DC28::FC57:D4C8:1FFF The double-colon can appear only once in any IP address. IPv6 addresses can embed IPv4. The notation has the first
96 bits in colon hex notation, and the last 32 bits in dotted decimal. eg ::212.200.31.255
Prefix notation can be used as with classless IPv4 addressing with CIDR.
Example: 805B:2D9D:DC28::FC57:D4C8:1FFF/48
So why isn’t it here yet?
No clear move to IPv6 Lack of smooth migration plans Investments in IPv4 Software availability - Available from Microsoft Windows XP
sp2 Developments in IP v4
Use of NAT CIDR Planning of Hierarchies and use of Autonomous Areas IPsec implemented in IPv4
Other Points Router Upgrades to handle IPv6 – OSPFv3
IPv4client
IPv4client
TCPTCP
IPv4IPv4
DatalinkDatalink
IPv6client
IPv6client
TCPTCP
IPv6IPv6
DatalinkDatalink
IPv6server
IPv6server
TCPTCP
DatalinkDatalink
IPv4IPv4 IPv6IPv6
IPv6/IPv4 Servers
Dual ServerThe most important issue will be to create servers that handle both IPv4 and IPv6The Server Operating System will contain protocol stacks for both IPv4 and IPv6
Tunneling IPv6 over IPv4
IPv6 can operate within a closed or private network environment Currently across a public networks, such as the Internet, have to
cross an IPv4 domain IPv6 packets can be encapsulated within IPv4 Encapsulated packets can then travel transparently across an IPv4
routing domain Tunneling can be used by routers and hosts
IPv4IPv6 Network
IPv6 Network
Tunnel: IPv6 in IPv4 packet
IPv6 Host
Dual-Stack Router
Dual-Stack Router
IPv6 Host
IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header
IPv6 HeaderIPv6 Header Transport Header
Transport Header DataData
DataDataTransport Header
Transport Header
Network Address Translation (NAT)
69
Possible solution to address space exhaustion Kludge (but useful)
Sits between your network and the Internet
Translates local network layer addresses to global IP addresses
Has a pool of global IP addresses (less than number of hosts on your network)
Uses special unallocated addresses (RFC 1597) locally 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
NAT Illustration
70
Global Internet
PrivateNetwork
Pool of global IP addresses
• Operation: Source (S) wants to talk to Destination (D):• Create Sg-Sp mapping• Replace Sp with Sg for outgoing packets• Replace Sg with Sp for incoming packets
• How many hosts can have active transfers at one time?
PG
Dg Sp DataNAT
Destination Source
Dg SgData
Problems with NAT
71
What if we only have few (or just one) IP address? Use Network Address & Port Translator (NAPT)
NAPT translates: Translates addrprivate + flow info to addrglobal + new
flow info Uses TCP/UDP port numbers
Potentially thousands of simultaneous connections with one global IP address
Problems with NAT
72
Hides the internal network structure Some consider this an advantage
Some protocols carry addresses E.g., FTP carries addresses in text What is the problem?
Must update transport protocol headers (port number & checksum)
Encryption No inbound connections
Fragmentation
74
IP packets can be up to 64KB Different link-layers have different
MTUs(Max Transfer Unit. Ethernet=1500B)
Split IP packet into multiple fragments IP header on each fragment Intermediate router may fragment as
needed
TCP/IP Fragmentation
IP
TCP
Reassembly
76
Where to do reassembly? End nodes
Avoids unnecessary work where large packets are fragmented multiple times
Dangerous to do at intermediate nodes How much buffer space required at
routers? What if routes in network change?
Multiple paths through network All fragments only required to go through
destination
IP Fragmentation and Reassembly
77
ID=x
offset=0
fragflag=0
length=4000
ID=x
offset=0
fragflag=1
length=1500
ID=x
offset=1500
fragflag=1
length=1500
ID=x
offset=3000
fragflag=0
length=1000
One large datagram becomesseveral smaller datagrams
Fragmentation is Harmful
78
Uses resources poorly Forwarding costs per packet Best if we can send large chunks of
data Worst case: packet just bigger than
MTU Poor end-to-end performance
Loss of a fragment Reassembly is hard
Buffering constraints
Path MTU Discovery
79
Hosts dynamically discover minimum MTU of path
Algorithm: Initialize MTU to MTU for first hop Send datagrams with Don’t Fragment bit set If ICMP “pkt too big” msg, decrease MTU
What happens if path changes? Periodically (>5mins, or >1min after previous
increase), increase MTU Some routers will return proper MTU MTU values cached in routing table
Layer 4: Transport Layer
80
Layer 4: Transport Layer
81
The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers.
The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control.
Layer 4: Transport Layer
82
Feature Name TP0 TP1 TP2 TP3 TP4
Connection oriented network Yes Yes Yes Yes Yes
Connectionless network No No No No Yes
Concatenation and separation No Yes Yes Yes Yes
Segmentation and reassembly Yes Yes Yes Yes Yes
Error Recovery No Yes No Yes Yes
Reinitiate connection (if an excessive number of PDUs are unacknowledged)
No Yes No Yes No
multiplexing and demultiplexing over a single virtual circuit
No No Yes Yes Yes
Explicit flow control No No Yes Yes Yes
Retransmission on timeout No No No No Yes
Reliable Transport Service No Yes No Yes Yes
TCP - Transmission Control Protocol Connection oriented - Reliable stream
transport Conceptually, two ends communicate to agree
on details After agreeing application notified of connection During transfer, ends communicate continuously
to verify data received correctly When done, ends tear down the connection
Provides buffering and flow control Takes care of lost packets, out of order,
duplicates, long delays Usually used for browsing, FTP, Mail, etc.
UDP- User Datagram Protocol
Connectionless Datagram- Not Reliable transport Minimal overhead, high performance No setup/teardown, 1 datagram at a time Application responsible for reliability
Includes datagram loss, duplication, delay, out-of-sequence, multiplexing, loss of connectivity
Usually used for Voice & Video streaming, broadcasting, etc.
TCP vs. UDP data format
Source port Destination port
Sequence number
0 8 16 3124
Acknowledgement number
4
Hlen Resv
Code Window
Urgent ptrChecksum
Options (if any) Padding
Data if any
…
Source port Destination port
UDP message len Checksum (opt.)
0 8 16 3124
Data
…
TCP data format
Port - TCP port numbers to ID applications at both ends of connection
Sequence number - ID position in sender’s byte stream
Acknowledgement - identifies the number of the byte the sender of this segment expects to receive next
Hlen - specifies the length of the segment header in 32 bit multiples. If there are no options, the Hlen = 5 (20 bytes)
Code - used to determine segment purpose, e.g. SYN, ACK, FIN, URG
TCP data format (cont.)
Window - Advertises how much data this station is willing to accept. Can depend on buffer space remaining.
Checksum -Verifies the integrity of the TCP header and data. It is mandatory.
Urgent pointer - used with the URG flag to indicate where the urgent data starts in the data stream. Typically used with a file transfer abort during FTP or when pressing an interrupt key in telnet.
Options -used for window scaling, SACK, timestamps, maximum segment size etc.
Layer 5: Session Layer
88
Layer 5: Session Layer
89
The Session Layer controls the dialogues (connections) between computers.
It establishes, manages and terminates the connections between the local and remote application.
It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures.
Layer 6: Presentation Layer
The Presentation Layer establishes a context between Application Layer entities, in which the higher-layer entities can use different syntax and semantics, as long as the presentation service understands both and the mapping between them.
This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa.
This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems.
It is sometimes called the syntax layer.
90
Layer 7: Application Layer
The application layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application.
Application layer functions typically include: identifying communication partners, determining resource availability, synchronizing communication.
91
92
URL
A standard scheme for compactly identifying any document on any Web server
Components: A protocol name: http, rtp, rtsp :// A server domain name or server IP address A path to a resource ( an HTML file or a CGI script)
http://[email protected]:999/ee-dept/event.html
Service Type: http, telnet, ftp, gopher… ,
System Name
Port Number: specified if non-default port is used
File Name
Path Name
93
HyperText Transfer Protocol (HTTP)
Application layer protocol Distributes information in the WWW Based on the client/server architecture
HTTP client (web browser): sends a request to a server for a file
HTTP server (web server): well-known port number 80, responds with the requested file if it is available
A single TCP connection is used
Network
IP
TCP
web browser
HTTP
Network
IP
TCP
web server
HTTPrequest
response
94
HTTP Messages
English-based and flexible, not code-based as lower layer protocols
Components of an HTTP message: A start-line Optional headers, each has a header name and
a value A blank line (a “\r\n” only) The requested file or other data in an HTTP
response.
95
HTTP Request Message
Request Line: Request
Type URL HTTP
version Optional
Headers Header
name Value
A blank line
The Request Type defines methods in messages GET, HEAD – retrieve a full document or some info about a document from the
server PUT, PATCH – provide a new/replacement document or a list of difference to
implement in an existing document to the server COPY, MOVE, DELETE – copy, move, or delete a document … …
96
HTTP Response Message
Status Line: HTTP version Status Code Status phrase
Optional Headers Header name Value
A blank line Data Body
The Status Code is similar to those in the FTP and the SMTP protocol with 3 digits
The Status Phrase explains the status code such as continue, switching, OK, accepted, no content, multiple choices, bad request, unauthorized, forbidden, not found, internal server error, service unavailable, … …
97
HTTP TCP Connections
The client first establishes a TCP connection to the server before an HTTP request
The server may terminate the TCP connection after the HTTP response is sent
For embedded objects in a HTML file The client sends a request for each embedded object In HTTP/1.0, the client establishes a TCP connection for
each request, not efficient for a file with many embedded objects
In HTTP/1.1, persistent connections are supported All embedded objects are sent through the TCP connection
established for the first request Both the client and server have to enable the persistent
connection feature
98
HTTP Requests & Responses
HTTP has four stages: Open, Request, Response, Close A TCP session for HTTP/1.0 does not stay open and wait
for multiple requests/responses – not efficient when HTML file has many embedded objects like pictures
HTTP/1.1 supports persistent connections that allow all the embedded objects sent through the same TCP connection
Network
IP
TCP
web browser
HTTP
Network
IP
TCP
web server
HTTPrequest
response
open
opened
close
closed
99
HTTP Proxies
Proxy server acts as both a client and server receiving client’s initial requests, translating requests,
passing requests to other servers Proxies can be used with firewalls to block undesired
traffic Cache feature of a Web proxy server reduces network
traffic by saving recently viewed pages on the disk driver
Network
IP
TCP
web browserHTTP
request
response
Network
IP
TCP
web serverHTTP
Cache
Network
IP
HTTP
TCP
proxyrequest
response
100
DHCP
Dynamic Host Configuration Protocol (DHCP) is designed, to dynamically configure TCP/IP hosts in a centralized manner from DHCP server.
DHCP server maintains a collection of configuration parameters, such as IP addresses, subnet mask, default gateway IP address, to make a configured host work in the network.
A DHCP client queries the server for the configuration parameters.
The DHCP server returns configuration parameters to the client.
101
DHCP
DHCP can provide persistent storage of network parameters for the clients A client can be assigned with same set of parameters
whenever it bootstraps, or is moved to another subnet The DHCP server keeps a key-value entry for each client
and uses the entries to match queries from the clients The entry could be a combination of a subnet address
and the MAC address (or domain name) of a client DHCP can also assign configuration parameters
dynamically The DHCP server maintains a pool of parameters and
assigns an unused set of parameters to a querying client A DHCP client leases an IP address for a period of time.
When the lease expires, the client may renew the lease, or the IP address is put back to the pool for future assignments
102
DHCP Operations
When two DHCP servers are used1) A client first broadcasts a DHCPDISCOVERY message on
its local physical network during bootstrapping. The message may be forwarded by relay agents to servers
in other physical networks.2) Each server may respond with a DHCPOFFER message
with an available network address in the Your IP Address field.
103
DHCP Operations
When two DHCP servers are used3) The client may receives more than one DHCPOFFER
messages. It chooses one server from all responding servers based on
the configuration parameters offered. The client then broadcasts a DHCPREQUEST message with
the Server Identifier option to indicated the selected server.
104
DHCP Operations
When two DHCP servers are used4) When the DHCPREQUEST message is received, only the
chosen server responds with a DHCPACK message carrying a full set of configuration parameters to the client. When the client receives, it checks the parameters and
configures its TCP/IP modules using the parameters. The message specifies the duration of the lease. When the
lease expires, the client may ask the server to renew it. Otherwise, the address will be put back in the pool or assigned to other hosts.
105
DHCP Operations
When two DHCP servers are used5) The client may send a DHCPRELEASE message to the
server to relinquish the lease on the network address.
106
DHCP Message Format
107
DHCP Message Fields
Opcode 1 means a boot request from client 2 means a boot reply from server
Hardware Address Type The values are defined in the “Assigned Numbers” RFC The value is 1 for an Ethernet MAC address
HW address length The length of the hardware address
Hop count Optionally used by relay agents A relay agent is a host or router that forwards DHCP
messages between DHCP clients and servers
108
DHCP Message Fields
Transaction ID Randomly assigned to link requests and replies between
a client and a server
Number of seconds Elapsed time in seconds since the client began an
address acquisition or renewal process
Flags Broadcast flag, the leftmost bit. Used when a client
cannot receive a unicast IP datagram before its interface is configured
Remaining 15 bits must be 0 (reserved for future use)
109
DHCP Message Fields
Client IP address Use when the client is in BOUND, RENEW, and
REBINDING state and can respond to ARP requests
Your IP address client’s IP address from DHCP server
Server IP address the IP address of the next server to use in bootstrap
Relay agent IP address used when booting via a relay agent
110
DHCP Message Fields
Client Hw address The hardware address of the client For an Ethernet address, the first 6 bytes are filled and
the remaining bytes are set to 0 Server hostname
Hostname of the DHCP server Boot filename:
Use in a DHCPOFFER message to specify the fully qualified, null terminated path name of a file to bootstrap from
Options optional vendor specific field
111
DHCP Configuration
An example of a DHCP server configuration file
MPLS
112
Motivation
• IPo The first defined and used protocolo De facto the only protocol for global
Internet working
… but there are disadvantages
Motivation (cont.)
• IP Routing disadvantages o Connectionless - e.g. no QoSo Large IP Header - At least 20 byteso Routing in Network Layer - Slower than Switchingo Usually designed to obtain shortest path - Do not take into account additional metrics
Motivation (cont.)
• ATMo connection oriented - Supports QoSo fast packet switching with fixed length
packets (cells)o integration of different traffic types (voice,
data, video)
… but there are also disadvantages
Motivation (cont.)
• ATM disadvantageso Complexo Expensiveo Not widely adopted
Motivation (cont.)
• Idea: Combine the forwarding algorithm used in ATM with IP.
MPLS Basics
• Multi Protocol Label Switching is arranged between Layer 2 and Layer 3
MPLS Basics (cont.)
• MPLS Characteristicso Mechanisms to manage traffic flows of
various granularities (Flow Management)o Is independent of Layer-2 and Layer-3
protocols o Maps IP-addresses to fixed length labelso Supports ATM, Frame-Relay and Ethernet
Label• Generic label format
Label Edge Router - LER
• Resides at the edge of an MPLS network and assigns and removes the labels from the packets.
• Support multiple ports connected to dissimilar networks (such as frame relay, ATM, and Ethernet).
Label Switching Router - LSR
• Is a high speed router in the core on an MPLS network.
• ATM switches can be used as LSRs without changing their hardware. Label switching is equivalent to VP/VC switching.
Positions of LERs & LSRs
Label Distribution Protocol - LDP
• An application layer protocol for the distribution of label binding information to LSRs.
o It is used to map FECs to labels, which, in turn, create LSPs.
o LDP sessions are established between LDP peers in the MPLS network (not necessarily adjacent).
o Sometimes employs OSPF or BGP.
Traffic Engineering
• In MPLS, traffic engineering is inherently provided using explicitly routed paths.
• The LSPs are created independently, specifying different paths that are based on user-defined policies. However, this may require extensive operator intervention.
• RSVP-TE and CR-LDP are two possible approaches to supply dynamic traffic engineering and QoS in MPLS.
MPLS Operation
• The following steps must be taken for a data packet to travel through an MPLS domain.
o label creation and distribution o table creation at each router o label-switched path creation o label insertion/table lookup o packet forwarding
MPLS Operation Example
Tunneling in MPLS
• Control the entire path of a packet without explicitly specifying the intermediate routers.
o Creating tunnels through the intermediary routers that can span multiple segments.
• MPLS based VPNs.
MPLS Advantages
• Improves packet-forwarding performance in the network
• Supports QoS and CoS for service differentiation
• Supports network scalability • Integrates IP and ATM in the network • Builds interoperable networks
MPLS Disadvantages
• An additional layer is added• The router has to understand MPLS
Security - IPsec
132
IP is not Secure!
133
IP protocol was designed in the late 70s to early 80s Part of DARPA Internet Project Very small network
All hosts are known! So are the users! Therefore, security was not an issue
Security Issues in IP
134
source spoofing replay packets no data integrity or
confidentiality
• DOS attacks• Replay attacks• Spying• and more…
Fundamental Issue :Networks are not (and will never be)
fully secure
Goals of IPSec
135
to verify sources of IP packets authentication
to prevent replaying of old packets to protect integrity and/or confidentiality
of packets data Integrity/Data Encryption
IPSec Architecture
136
ESP AH
IKE
IPSec Security Policy
Encapsulating SecurityPayload
Authentication Header
The Internet Key Exchange
IPSec Architecture
137
IPSec provides security in three situations: Host-to-host, host-to-gateway and gateway-to-
gateway IPSec operates in two modes:
Transport mode (for end-to-end) Tunnel mode (for VPN)
IPsec Architecture
138
Tunnel Mode
Router Router
Transport Mode
Various Packets
139
IP header
IP header
IP header
TCP header
TCP header
TCP header
data
data
data
IPSec header
IPSec header IP header
Original
Transportmode
Tunnelmode
Authentication Header (AH)
140
Provides source authentication Protects against source spoofing
Provides data integrity Protects against replay attacks
Use monotonically increasing sequence numbers Protects against denial of service attacks
NO protection for confidentiality! Use cryptographically strong hash algorithms to
protect data integrity (96-bit) Use symmetric key cryptography HMAC-SHA-96, HMAC-MD5-96
AH Packet Details
141
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength Reserved
Old IP header (only in Tunnel mode)
TCP header
New IP header
Authenticated
Data
EncapsulatedTCP or IP packet
Hash of everythingelse
Encapsulating Security Payload (ESP)
142
Provides all that AH offers, and in addition provides data confidentiality
Uses symmetric key encryption
ESP Details
143
Same as AH: Use 32-bit sequence number to counter replaying
attacks Use integrity check algorithms
Only in ESP: Data confidentiality:
Uses symmetric key encryption algorithms to encrypt packets
ESP Packet Details
144
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength Reserved
TCP header
Authenticated
IP header
Initialization vector
Data
Pad Pad length Next
Encrypted TCP packet
Question?
145
1. Why have both AH and ESP?2. Both AH and ESP use symmetric key based
algorithms Why not public-key cryptography? How are the keys being exchanged? What algorithms should we use? Similar to deciding on the ciphersuite in SSL
Internet Key Exchange (IKE)
146
Exchange and negotiate security policies Establish security sessions
Identified as Security Associations Key exchange Key management Can be used outside IPsec as well
IPsec/IKE Acronyms
147
Security Association (SA) Collection of attribute associated with a
connection Is asymmetric!
One SA for inbound traffic, another SA for outbound traffic
Similar to ciphersuites in SSL
Security Association Database (SADB) A database of SAs
IPsec/IKE Acronyms
148
Security Parameter Index (SPI) A unique index for each entry in the SADB Identifies the SA associated with a packet
Security Policy Database (SPD) Store policies used to establish SAs
How They Fit Together
149
SPD
SADBSA-2
SPI
SPI
SA-1
SPD and SADB Example
150
From To Protocol Port Policy
A B Any Any AH[HMAC-MD5]
Tunnel Mode
Transport Mode
AC
B
A’s SPD
From To Protocol SPI SA Record
A B AH 12 HMAC-MD5 keyA’s SADB
D
From To Protocol
Port Policy Tunnel Dest
Any Any ESP[3DES] D
C’s SPD
From To Protocol SPI SA Record
ESP 14 3DES keyC’s SADB
Asub Bsub
Asub Bsub
How It Works
151
IKE operates in two phases Phase 1: negotiate and establish an auxiliary end-
to-end secure channel Used by subsequent phase 2 negotiations Only established once between two end points!
Phase 2: negotiate and establish custom secure channels Occurs multiple times
Both phases use Diffie-Hellman key exchange to establish a shared key
IKE Phase 1
152
Goal: to establish a secure channel between two end points This channel provides basic security features:
Source authentication Data integrity and data confidentiality Protection against replay attacks
IKE Phase 1
153
Rationale: each application has different security requirements
But they all need to negotiate policies and exchange keys!
So, provide the basic security features and allow application to establish custom sessions
Examples
154
All packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity check
All packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required)
Phase 1 Exchange
155
Can operate in two modes: Main mode
Six messages in three round trips More options
Quick mode Four messages in two round trips Less options
Phase 1 (Main Mode)
156
Initiator Responder
[Header, SA1]
Phase 1 (Main Mode)
157
Initiator Responder
[Header, SA1]
[Header, SA2]
Establish vocabulary for further communication
Phase 1 (Main Mode)
158
Initiator Responder
[Header, SA1]
[Header, SA2]
[Header, KE, Ni, {Cert_Reg}]
Phase 1 (Main Mode)
159
Initiator Responder
Header, SA1
[Header, SA1]
[Header, KE, Ni { , Cert_Req}]
[Header, KE, Nr {, Cert_Req}]
Establish secret key using Diffie-Hellman key exchangeUse nonces to prevent replay attacks
Phase 1 (Main Mode)
160
Initiator Responder
[Header, SA1]
[Header, SA1]
[Header, KE, Ni {,Cert_Req}]
[Header, KE, Nr {,Cert_Req}]
[Header, IDi, {CERT} sig]
Phase 1 (Main Mode)
161
Initiator Responder
[Header, SA1]
[Header, SA1]
[Header, KE, Ni {, Cert_req}]
[Header, KE, Nr {, Cert_req}]
[Header, IDi, {CERT} sig]
[Header, IDr, {CERT} sig]
Signed hash of IDi (without Cert_req , just send the hash)
Phase 1 (Aggressive Mode)
162
Initiator Responder
[Header, SA1, KE, Ni, IDi]
Phase 1 (Aggressive Mode)
163
Initiator Responder
[Header, SA1, KE, Ni, IDi]
[Header, SA2, KE, Nr , IDr, [Cert]sig]
[Header, [Cert]sig]
First two messages combined into one)combine Hello and DH key exchange(
IPSec (Phase 1)
164
Four different way to authenticate (either mode) Digital signature Two forms of authentication with public key encryption Pre-shared key
NOTE: IKE does use public-key based cryptography for encryption
IPSec (Phase 2)
165
Goal: to establish custom secure channels between two end points End points are identified by <IP, port>:
e.g. <www.mybank.com, 8000> Or by packet:
e.g. All packets going to 128.124.100.0/24 Use the secure channel established in Phase 1 for
communication
IPSec (Phase 2)
166
Only one mode: Quick Mode Multiple quick mode exchanges can be multiplexed Generate SAs for two end points Can use secure channel established in phase 1
IP Payload Compression
167
Used for compression Can be specified as part of the IPSec policy Will not cover!
Outline
168
Why IPsec? IPsec Architecture Internet Key Exchange (IKE) IPSec Policy Discussion
IPsec Policy
169
Phase 1 policies are defined in terms of protection suites
Each protection suite Must contain the following:
Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group
May optionally contain the following: Lifetime …
IPSec Policy
170
Phase 2 policies are defined in terms of proposals
Each proposal: May contain one or more of the following
AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as
Key length, life time, etc
IPSec Policy Example
171
In English: All traffic to 128.104.120.0/24 must be:
Use pre-hashed key authentication DH group is MODP with 1024-bit modulus Hash algorithm is HMAC-SHA (128 bit key) Encryption using 3DES
In IPSec: [Auth=Pre-Hash;
DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES]
IPsec Policy Example
172
In English: All traffic to 128.104.120.0/24 must use one of
the following: AH with HMAC-SHA or, ESP with 3DES as encryption algorithm and
(HMAC-MD5 or HMAC-SHA as hashing algorithm)
In IPsec: [AH: HMAC-SHA] or, [ESP: (3DES and HMAC-MD5) or
(3DES and HMAC-SHA)]
LAN-protocols, ATM, PSTN/ISDN, PLMN… LAN-protocols, ATM, PSTN/ISDN, PLMN…
ARPARP
UDPUDPTCPTCP
ICMPICMPIPIP
SMTP POP, IMAP
SMTP POP, IMAP HTTPHTTPFTPFTP DNSDNS
Signalling Protocols
(e.g. ISUP)
Signalling Protocols
(e.g. ISUP)
SLIPSLIP PPPPPP
RIPRIP OSPFOSPF BGPBGP
SCTPSCTP
RTPRTP
RT DataRT DataHTMLHTML
IP protocol suite
SCTP is used for signalling transport
Signalling Protocol (e.g. ISUP)Signalling Protocol (e.g. ISUP)
SCCPSCCP
MTPMTP
Transport of SS7 type application protocols (e.g. ISUP) in SS7 network using MTP (+ SCCP)
Transport of SS7 type application protocols (e.g. ISUP) over IP network using Sigtran protocols
Protocol conversion in
signalling gateway (SGW)
Adapt. pr.Adapt. pr.
SCTPSCTP
IPIP
Phys.Phys.
Sigtran protocols
Example: downloading HTML page (1)
User terminal
)Client(
HTML page source
)Server(
Send me HTML page
HTTPHTTP
TCPTCP
IPIP
PPPPPP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATMATMATM
Internet service provider’s PoP
Modem connection and PPP link between user terminal and ISP’s Point of Presence (PoP) is established. User terminal is given IP address (dynamic allocation).
UDPUDP
Example: downloading HTML page (2)
User terminal
)Client(
HTML page source
)Server(
UDPUDP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATM
DNS performs translation between URL and IP address of server (only the latter is used for routing IP packets to the server).
PPPPPP ATMATM
UDPUDP
IPIP
Contact DNS...
IP
DNS replies...
Example: downloading HTML page (3)
User terminal
)Client(
HTML page source
)Server(
HTTPHTTP
TCPTCP
IPIP
PPPPPP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATMATMATM
TCP connection is set up. Note that IP packets can be routed over different bearer networks (like ATM as above) and do not necessarily follow the same path.
Three-way handshaking
Example: downloading HTML page (4)
User terminal
)Client(
HTML page source
)Server(
HTTPHTTP
TCPTCP
IPIP
PPPPPP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATMATMATM
HTTP request (get HTML page) is sent to server. HTTP reply (including HTML page) is returned in a “200 ok” message.
RequestReply
Example: downloading HTML page (5)
User terminal
)Client(
HTML page source
)Server(
HTTPHTTP
TCPTCP
IPIP
PPPPPP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATMATMATM
If the client has no more requests, the TCP connection is cleared.
Two-way handshaking
Example: downloading HTML page (6)
User terminal
)Client(
HTML page source
)Server(
HTTPHTTP
TCPTCP
IPIP
PPPPPP
IPIP
PPPPPP
HTTPHTTP
TCPTCP
IPIP
ATMATMATMATM
When requested by the client, the PPP and modem connections are cleared. (Bearer connections within the Internet backbone are naturally not cleared.)
