© Copyright 1997, The University of New Mexico F-1 Introduction to NetWare Presented By Louella R....
-
Upload
lester-gilbert -
Category
Documents
-
view
215 -
download
0
Transcript of © Copyright 1997, The University of New Mexico F-1 Introduction to NetWare Presented By Louella R....
F-1© Copyright 1997, The University of New Mexico
Introduction to NetWarePresented By
Louella R. Phillips
F-2© Copyright 1997, The University of New Mexico
Introduction to NetWare
• History of NetWare– The first version of NetWare, called ShareNet, was in 1983.
– Developed by IBM shortly after the IBM personal computer was introduced.
– Developed so that microcomputers could share access to files stored on central file servers.
– NetWare is the most widely used network operating system because of its stability and speed.
– Novell has continued to improve NetWare by releasing many versions such as 4.11, 3.x and 2.x.
F-3© Copyright 1997, The University of New Mexico
How does NetWare Connect your PC to the Network?
• NetWare uses special software called NetWare requester.
• NetWare requester resides on the PC rather than on a file server.
• The connection is established from the PC to the network. This process involves two steps: attaching, and logging in.– Attaching establishes a link between the PC and the file server.
– Logging in allows the user to access file servers and other network resources, such as shared printers.
F-4© Copyright 1997, The University of New Mexico
How does NetWare Connect your PC to the Network (cont.) ?
• PC network adapter cards broadcast a request over the network cable system asking a file server to respond.
• Your PC is linked or attached to the first file server that answers.
• The NetWare requester stays in the memory of your PC and serves as the software link between the PC’s operating system and NetWare.
• NetWare requester next provides you with a way to log in to the network.
F-5© Copyright 1997, The University of New Mexico
How can NetWare provide you with security ?
• Controlling Logins and Passwords– The administrator creates a login name for each user which permits them
to login to the server.
– The user will be required to use a password each time they login.
– Login is the first step to use the network resources, without the login name, your access to the network will be denied, second step is your password.
• Controlling Trustee Security and Rights – NetWare has features called trustee security which grants various levels
of control to access a directory.
– As trustee, the user can have access to files in a particular directory.
– Rights such as read, write, create, erase, etc.
F-6© Copyright 1997, The University of New Mexico
NetWare makes the network easy to use
– NetWare makes file server disks look like local disks to your PC.
– NetWare MAP command lets you assign the drive letter of your choice to any disk, directory, or subdirectory on any file server that you are logged in to.
– NetWare allows you to create a login script that automatically sets up your drive.
– NetWare allows you to use all standard DOS and OS/2 commands on the file server disks for file manipulation and movement among directories.
– NetWare includes a powerful menu-building utility for DOS users, Menus are an excellent way to make programs and printers easy to use.
– NetWare uses Requester to play an important role in printing a document on the network by sending the print job to the file server as a print-job file instead of sending it to the workstation’s printer port.
F-7© Copyright 1997, The University of New Mexico
Novell’s Windows NT Integration strategy
• Internetware Client for Windows NT.– Internetware allows the client with Windows NT 4.1, Windows NT
workstation 3.51 and 4.0, access to NetWare services such as printing, security, management, and messaging services through Novell’s Directory Service (NDS).
• Novell Workstation Manager.– Novell workstation manager allows you to manage Windows NT
workstation 3.51 and 4.0 user accounts through NDS. You do not have to maintain these user accounts in the Windows NT workstation Security Access Manager (SAM) database or the Windows NT server domain database. You can now create an NT workstation object in NDS and associate User, Group, or Organization objects with that object.
F-8© Copyright 1997, The University of New Mexico
Novell’s Windows NT Integration strategy
• Novell Application Launcher.– Novell Application Launcher(NAL) has been enhanced for use with
Windows NT workstation 3.51 and 4.0. Using the NetWare Administrator utility, you can create objects in the NDS tree to represent applications that are located on Internetware, NetWare 4, or Windows NT servers.
• Managewise Agents for Windows NT.– Managewise agents for Windows NT work with Managewise 2.1 to
integrate Windows NT servers and workstations with your overall network management system. These agents can collect real-time and long-term performance and alarm information about your Windows NT servers.
F-9© Copyright 1997, The University of New Mexico
Novell’s Windows NT Integration strategy
• GroupWise 5 for Windows NT.– GroupWise 5 has been enhanced to integrate with Windows NT server
3.51 and 4, including running on IntranetWare and Unix platforms.
– GroupWise 5 also provides integration with Microsoft Exchange clients, you can use GroupWise Message Server at the back end.
– GroupWise WebAccess allows you to access the GroupWise 5 services from a World-Wide-Web (WWW) browser, as well as allowing you to run IntranetWare WWW server and Windows NT WWW server.
• NDS for Windows NT.– Novell is implementing NDS natively on Windows NT server and plans to
release this product later this year, NDS is also being made available on various UNIX platforms.
F-10© Copyright 1997, The University of New Mexico
Novell vs. NT
• NetWare Pros:– Centralized Management (one single graphical point of administration
for the entire network, NDS)
– Lower Administration Costs (an IDC study found NetWare 22% less expensive to administer than NT
– File and Print Services (PC Week published NetWare outperforms NT by 59% with loads above 30 clients, automatic file-by-file data compression, data migration, disk space, quotas for individual users, block suballocation, and high capacity storage systems support, as well as NDS print services. NT is missing all of these.
F-11© Copyright 1997, The University of New Mexico
Novell vs. NT
• NT Pros:– Cost of OS and Client connections (NT is considerably less expensive not
only for the OS but also per user).
– Hardware Compatibility (NT has more drivers)
– Futuristic Issues (NT has more tools and applications being developed)
• Issues of stability, installation and upgrades become cloudy and involve many variables such as:– level of hardware
– knowledge of Administrators
F-12© Copyright 1997, The University of New Mexico
Factors Convincing Customers to buy
NetWare.• Novell’s Overall performance
– Novell’s customers gave high marks for product effectiveness, product price, and ease of doing business.
• Novell’s Sales and Marketing Strategy.– Novell’s sales and marketing strategy focused on the
following:1 Their marketing sales and marketing information
available on the Internet, NetWare user groups, and at trade shows.
2 Novell provides educational training courses about their product at a low price
3 Advertising such as trade publications, web publications, and web advertising
F-13© Copyright 1997, The University of New Mexico
Factors Convincing Customers to buy
NetWare.• Your Product Selection Process.
– NetWare performance.– Its Flexibility and Stability.– Novell’s reputation as a market leader, technology
innovator, and developer of quality products.– NetWare meets the needs of future computing.
• Your Purchasing Plans– 95% of the customers said they will purchase NetWare
because of its reliability, security, and ease of use.– 83% of the customers plan to purchase or upgrade to
Intranet Ware or another version of NetWare within the next 12 months for the above reasons.
F-14© Copyright 1997, The University of New Mexico
What makes Novell an Industry Leader?
• Novell has $1 billion in cash, $ 1 billion a year in revenue, almost 5,000 employees worldwide, and a very strong brand.
• NetWare has a user base of 65 million plus. GroupWise has shot up to more than 8 million users.
• Novell is a viable company and knows networking.
• Novell’s reputation as a market leader, technology innovator, and developer of quality products.
F-15© Copyright 1997, The University of New Mexico
What are Novell’s advertising plans for the next six months
• Novell is focusing on advertising.• The new marketing manager tends to be
focused on publications that make a difference to their customers such as trades publications, various web publications, and web advertising.
• Novell’s new marketing managers are to be more engaged with industry analysts, consultants, and trade press editors to help them make up a lot of the opinion leaders about Novell in general.
F-16© Copyright 1997, The University of New Mexico
What are Novell’s advertising plans for the next six months
(cont.)• New management released that the most
important things about advertising, is consistency to target their customer.
• New management believes that Novell understands networking very well, therefore releasing new products on time, such as Border-Manager and GroupWise(5.2), makes them very competitive in the market.
• Talking to the developers and customers about their products can develop their marketing plan.
F-17© Copyright 1997, The University of New Mexico
• Netware uses the IPX protocol to send and receive information on the network.
• IPX is provided by the IPXODI.COM driver. • IPX is a protocol similar to IP from the TCP\IP
world.• It is a datagram protocol, meaning that it
does not provide for much error checking.• It sends a packet and assumes that it was
received.
IPX Protocol
F-18© Copyright 1997, The University of New Mexico
IPX Protocol and Routing
• Network addresses are assigned to a network by a router or similar device.
• A network address in the IPX world is 8 hexadecimal digits.
• Hexadecimal is denoted by a leading 0x• In a single network with no routers your
network address would be 0x00000000 by default.
F-19© Copyright 1997, The University of New Mexico
IPX/ODI Stack
• Older versions of NetWare used the IPX protocol in a single driver which had the network interface card driver linked into it.
• To provide greater functionality, Novell developed the ODI stack which is divided into layers.
• The lower layer is the ODI LAN driver, also known as the MLID(eg. NE2000.com).
F-20© Copyright 1997, The University of New Mexico
IPX/ODI Stack (cont.)
• This driver is responsible for providing access to the hardware itself.
• Depending on your network, you may want to select from four different frame types:– Ethernet_802.3 (old default)– Ethernet_802.2 (new default)– Ethernet_II– Ethernet_SNAP
F-21© Copyright 1997, The University of New Mexico
IPX/ODI Stack (cont.)
• The next layer up is the ODI Link Support Layer (LSL).
• Though it is the second layer up, it is loaded first in the STARTNET.BAT to give the LAN driver a place to link.
• The LSL enables the workstation to load several different communication protocols and use them simultaneously.
F-22© Copyright 1997, The University of New Mexico
IPX/ODI Stack (cont.)
• On top of LSL is the protocol stack used by Netware, IPX.
• It is loaded as part of the IPXODI.COM driver.
• It provides IPX\SPX services to applications that resides above it and hooks into the LSL to obtain access to the hardware.
• On top of IPX are the applications that use it. They include SERVER.EXE, CLIENT.EXE, NET.EXE, etc.
F-23© Copyright 1997, The University of New Mexico
• IPX: Addresses, data packets• RIP, SAP, NLSP• NCP, Packet burst• TCP over IPX• NDS• IP/IPX Gateway/Firewall• Mobile IPX• NetWare Network Security
F-24© Copyright 1997, The University of New Mexico
What is IPX?
• “Internetworking Packet Exchange”• Derived from Xerox’s SPX• Data packet format and addressing• Performs same function as IP
(connectionless, best effort, routable protocol
F-25© Copyright 1997, The University of New Mexico
The story begins with the
Data Link Layer• LANS (e.g., Ethernet) are multiaccess link• To transmit on a LAN, you need a header which contains a
source and destination address• A “routable” packet on Ethernet has two
headers: Ethernet and IPX (or IP, or Appletalk, or CLNP, etc.)• The LAN source and destination are ultimate source and
destination
Ethernet hdr IPX hdr data
m q
D
R2
z
S
R2
F-26© Copyright 1997, The University of New Mexico
802 Addresses
• Assigned in blocks of 2 • Given 23 byte constant (Organizationally Unique
Identifier), plus group/individual bit• Address all 1’s intended to mean “broadcast”, i.e., “everyone”, which is nonsense. Really each
protocol should use its own multicast address to mean all nodes that speak that protocol
group/individualglobally/locally assigned
OUI
F-27© Copyright 1997, The University of New Mexico
Multi-LingualEnvironments
• You cans speak lots of things (IP, CLNP, IPX, Appletalk, etc.)
• Someone hands you a pile of bits. What is it? Maybe we were careful -- yeah, right Maybe we were lucky -- yeah, right
• Conclusion: not enough information in the packet header to differentiate -- need an extra field in the data link header to say what it is protocol type: well-known (globally administered) values, one
field in header SAP (service access point) or socket: locally administered, on
for dest, on for source Don’t confuse “SAP” with IPX’s Service Advertisement
Protocol!
F-28© Copyright 1997, The University of New Mexico
Packet HDRs on CSMA/CD
Ethernet
pream dest dest ln dsap saap ctl data fcs
pream dest dest pt data fcs
8 66 2 46-1500 4
8 6 6 2 1 1 1 43-1497 4
802.3
802.3
Format of SAP
G/I G/L
F-29© Copyright 1997, The University of New Mexico
How the SAPs work
• Notice the “global/local” bit -- those SAPs are globally assigned! If you are a very privileged protocol, and obtain one of these, you’d set DSAP=SSAP= your assigned SAP value
• How does it work if you’re not a privileged protocol? Uh…• World class kludge -- get a SAP value assigned to mean
“underprivileged protocol”. Called SNAP SAP (SubNetwork Access Protocol), and it =aa hex.
• If DSAP=SSAP=aa hex, then after CTL is a protocol type field
• The protocol types 5 bytes long• Convention: 0.0.0protocol type allows 2 octet Ethertypes to
fit into 5 octets• Confused? You’re in good company
F-30© Copyright 1997, The University of New Mexico
IPX
• Note : checksum isn’t implemented and is set to FFFF hex. Good thing. Why? See next slide.
2211462462
22
11
4
62
46
2
checksum
pkt length
transport ctl (hop ct)
pkt type
dest net
dest node
dest socket
src net
src node
src socket
F-31© Copyright 1997, The University of New Mexico
IPX on CSMA/CD
• Ethernet format. Protocol type=8137 hex• Raw 802.3 --- leave out all multiplexing! Start IPX packet
where DSAP should be, so checksum covers DSAP and SSSAP• SNAP ---DSAP=SSAP=SNAP (aa hex), protocol type=0.0.081.37• 802.2 --- DSAP=LSAP=E0 hexCope with multiple formats by treating LAN as multiple logical
LANs, and routers translate formats
A
R
b A
R
b
F-32© Copyright 1997, The University of New Mexico
Ethernet
dst src 8137 IPX packet
“Raw 802.3”
6 6 2
6 6 2
802.2 format
dest src ln EO EO 3 IPX packet
dest src ln EO EO 3 0.0.0.81.37 IPX packet
SNAP format
6 6 2 1 1
1
1 43-1497
43-14976 6 2 1 1 1 5
dst src Inth IPX packet
F-33© Copyright 1997, The University of New Mexico
Defined Packet Types
0 -- unknown packet type1 -- RIP2 -- reserved (was Echo protocol)3 -- reserved (was Error handler)4 -- “packet exchange packet” used by most things (like SAP, TCP over IPX5 -- SPX17 -- NCP20 -- Flooded (used for Netbios)
F-34© Copyright 1997, The University of New Mexico
Assigned Sockets
451 (hex) NCP452 SAP453 RIP455 Netbios456 Diagnostics4000-7FFF Dynamically assigned8000-FFFF Novell assigned9001 NLSP9004 IPX Wan version 2
F-35© Copyright 1997, The University of New Mexico
Addresses
• 802 addresses have no geographic hints --like routing to social security number -- known as “flat address”
• Generic hierarchical address: locator.node
• IP, IPX, Appletalk: locator is specific to a LAN• CLNP, DECnet Ph4, (maybe IPv6) locator is entire
region called an “area” -- could be single LAN but can be bigger
locator node
F-36© Copyright 1997, The University of New Mexico
4 6
4 bytes
2 1
up to 14 6
8 8
Comparative Addresses
Boundary depends on mask
IP
2 bytes total 6 bits area 10 bits node
IPX
DECnet Ph IV
Appletalk
CLNP
IPv6 ?
F-37© Copyright 1997, The University of New Mexico
IP
• Each node configured with (address, mask)
• Can tell if someone is no same LAN If:(your addr. AND mask) = (dst.addr AND mask)
• IF on same LAN, still need LAN address• Use ARP protocol -- broadcast “who has
IP address…”, target replies (everyone else ignores)
F-38© Copyright 1997, The University of New Mexico
IPX
Endnodes autoconfigure based on IEEE addressAsk router for 4 byte network numberFill in IEEE address in bottom 6 bytesSomeone is on you LAN if net # matchesNo ARP! Use bottom 6 bytes as IEEE addressBetter than IP:
more net #s autoconfigures No ARP overhead
So why this misconceptions that IPX is “LAN-only”, “doesn’t scale”, etc.?
F-39© Copyright 1997, The University of New Mexico
Endnode Operation
• Ask routers (via broadcast DL address) to get LAN # in the beginning
• To talk to N.X, if N is your net #, talk directly (using DL address x).• To talk to N.x where N is not your net, ask
routers “who can get me to net N?”• Routers that have a path to N (other than on
link from which query arrived) respond• Use that router to get to N
F-40© Copyright 1997, The University of New Mexico
Internal Network Number
S has two possible addresses: 57.x and 29.yIf S chooses 57.x C, will ask routers for “57”both R and S respondIf C chooses R, packets go extra hopSolution: Internal network number
R S
C
x
y
net #57
net #29
F-41© Copyright 1997, The University of New Mexico
Internal Network Number
• S chooses address 91.1• S will respond to RIP query
R S
C
x
y
net #57
net #29
“net” 91
F-42© Copyright 1997, The University of New Mexico
New Topic: Routing Algorithms
• Want to build “forwarding database”: table of (dest, nbr)• Two types of routing alg: distance vector (e.g., RIP), link
state (e.g., NLSP)
F-43© Copyright 1997, The University of New Mexico
Distance Vector Routing
• You know the following:– your own ID– how many cables hanging off you box– the cost of going through that cable to what ever is at the end
• Purpose of routing algorithm: come up with forwarding database, telling you which neighbor to send to for each possible destination
• Do this by exchanging distance vectors, which tells transmitters distance to each destination
cost 2cost 7cost 3cost 2#j#m#n#k
cost 2
cost 7cost 3
cost 2
#j #m
#n#k
F-44© Copyright 1997, The University of New Mexico
cost 2
cost 7cost 3
cost 2
#j #m
#n#kYou are destination #4 dest # 1 2 3 4 5 6 7 8 9 10 11
12 3 15 3 12 5 6 18 0 7 15
Distance vector received from cable j
5 8 3 2 10 7 4 20 5 0 15
0 5 3 2 19 9 5 22 2 4 7
6 2 0 7 8 5 8 12 11 3 2
Distance vector received from cable k
Distance vector received from cable m
Distance vector received from cable n
your own calculated distance vector
2 6 5 0 12 8 6 19 3 2 9
your forwarding table
m j m 0 k j k n j k n
3
2
2
7
F-45© Copyright 1997, The University of New Mexico
Looping Problem
A B C
V X K J S W B Z
slow linkD
slow link
D
F-46© Copyright 1997, The University of New Mexico
Split Horizon
• Alleviates (does not solve!) looping problem • Many variants• Don’t announce path to D on link L if some other router on L
is announcing a better path on L• If only keep single “best path”, then the link L on which you
forward to D is the only one split horizon applies
A B CSplit horizon solves
AB
C
DSplit horizon does not solve
3-rtr loop
F-47© Copyright 1997, The University of New Mexico
IPX-RIP
• Not the best possible distance vector protocol• IPX’s RIP is similar to IP’s RIP• Send distance vector periodically (60 sec)• Only remember best path. Forget it if not reminded (180 sec)• IPX-RIP has two metrics: hops, and ticks (supposedly delay, units of
1/18ths of sec):
• Best path used ticks. Hops for count-to-infinity (infinity=16)• events: time, route reported (> = or <)
G
A
B
X
6
5
12
3
7
7
17
3
1
1
2
1
d
a
c
a
1
2
37
15
dest hops (ticks) DL addport age
F-48© Copyright 1997, The University of New Mexico
IPX RIP
• First comes LAN header, (p-type or SAP=IPX)• Then IPX hdr, pkt type=1, socket=453 Hex• Then RIP info. Up to 50 nets per packet
• In query: net=FFFFFFFF means “all”
1=req, 2=respthese three
fields repeat up to 50 times
final net # announcement
operation
net #
hops
ticks
net #
hops
ticks
42
2
4
22
2 bytes
F-49© Copyright 1997, The University of New Mexico
“Default Route”
• Original version of IPX : if path to D not known, drop packet• Then “default route” got added• Net #-2 (FF FF FF FE) means “default”• If don’t have path to D, but have path to -2, then route towards -2
• R2 announces to R1 that it can reach “-2” • Can configure filtering rules per link, and where to advise -2
backboneR2
R1
F-50© Copyright 1997, The University of New Mexico
IPX Packet Type 20
• Receive, on LAN 97: packet type 20 with path: 6,71,8,11,97• Forward onto LAN 22:6,71,8,11,97,22• Forward onto LAN 15:6.71.8.11.97.15• Don’t forward onto LAN 8 • Exponential # of pkts
R 228
97
15
F-51© Copyright 1997, The University of New Mexico
Compatible Fix
• Called “reverse path forwarding”• Only accept packet type 20 from source
S from neighbor N if N is best path towards S
• Changes exponential into n squared• Each router only floods packet once
F-52© Copyright 1997, The University of New Mexico
SAP (Service Advertisement Protocol
• Nothing to do with Data Link SAP for multiplexing!!!• Similar to RIP, but advertises service names rather than net #s• Up to 7 services per SAP packet
operation
Service typeService name
IPX full addresshops
Service typeService name
IPX full addresshops
22
22
2
48
1248
12
F-53© Copyright 1997, The University of New Mexico
Fascinating SAP Facts
• Operations:1 = query for all of a certain type (or type FFFF)2 = response to 1 or periodic broadcast3 = get nearest server request4 = get nearest server reply
• “Nearest server” wasn’t well specified -- now specified that it is based on RIP ticks
• Split horizon wasn’t well specified -- now based on SAP hops
• Service types: 3=print queue, 4=file server, 5=job server, 7=print server, 9=archive server,24=remote bridge sever,47=advertising print sever
F-54© Copyright 1997, The University of New Mexico
Filtering SAP
X
S1
R1
Suppose you want to filter, but still give authorized users access to everything
R1 filters all but S1
X can log into S1 to find other services
F-55© Copyright 1997, The University of New Mexico
Bindery
• Database on Server in NetWare 2 and 3x• Contains all services learned from SAP (and aged if
not refreshed)• Contains configured entries• Scanned by client using NCP “scan bindery object”• Specify service type (or FFFF) and name (which can
contain wildcard * and/or?)• Another problem: Not all servers the same.
Sometimes “preferred server” not reachable from “nearest”. Also, pretty silly to get “nearest” and then query bindery for preferred.
• Result: more specific SAP query was added recently
F-56© Copyright 1997, The University of New Mexico
More Specific SAP Query
• Two queries 12(decimal) for “all”, and 14. For “nearest”• Response to 12 is 13. Response to 14 is 15• Responses have same format as today’s Requests (12 and
14) have following format:
• All fields can be specific, partially, or fully wildcarded
operation
Service typeService name
Net #Net mask
Service typeService name
Net #Net mask
22
42
4
48
448
4
F-57© Copyright 1997, The University of New Mexico
NLSP
• Link State routing protocol• Almost the same as IS-IS. Similar to
OSPF.• Replaces RIP and SAP, but is compatible
with RIP/SAP routers• Endnodes can’t tell the difference (NLSP
still answers RIP and SAP queries)
F-58© Copyright 1997, The University of New Mexico
Link State Routing
• Meet your neighbors• Construct Link State Packet (LSP)
– who you are– list of (neighbor, cost) pairs
• Broadcast the LSP to all routers• Store latest LSP from every other node• Compute routes
– Edsgar Dijkstra’s algorithm1 Put (SELF,0) on tree as Root2 Look at LSP of node just placed on tree. If for any node N the cost is best
path of any found so far, add (N,c) to tree under N with dotted line3 Make shortest dotted line solid. Go to 2.
F-59© Copyright 1997, The University of New Mexico
Example Dijkstra Calculation
A B C
D E F G
6
2
2
2
2
14
15
A
B/6
D/2
B
A/6
C/2
E/1
C
B/2
F/2
G/5
D
A/2
E/2
E
B/1
D/2
F/4
F
C/2
E/4
G/1
G
C/5
F/1
B(2)
C(0)
F(2)
G(5)
B(2)
C(0)
G(5)
F(2)
E(4)G(3)
B(2)
C(0)
F(2)
G(5)
F-60© Copyright 1997, The University of New Mexico
B(2)
C(0)
E(3)
F(2)
E(4)G(3)A(8)
B(2)
C(0)
E(4)
F(2)
G(3)
B(2)
C(0)
E(3)
F(2)
G(3)A(8)
D(5)
B(2)
C(0)
E(3)
F(2)
G(3)A(8)
D(5)
B(2)
C(0)
E(3)
F(2)
G(3)A(8)
D(5)
B(2)
C(0)
E(3)
F(2)
G(3)A(8)
D(5)
B(2)
C(0)
E(3)
F(2)
G(3)A(8)
D(5)
A(7)
F-61© Copyright 1997, The University of New Mexico
Meeting your Neighbors
• Pt-pt link: Say who you are. Negotiate protocol (NLSP or RIP), measures delay/throughput and calculate costs, client can be assigned address
• LAN– multicast Hello– List other routers you’ve heard (check 2-way
connectivity)– Elect “Designated Router)
F-62© Copyright 1997, The University of New Mexico
Designated Router
• Wasteful if every router on LAN has big LSP describing LAN (router nbrs, services, etc.)
• DR names the LAN (its 6 byte ID plus 1 byte), say FOO.25
• Routers on LAN simply claim to be connected to FOO.25
• DR sends an additional LSP from FOO.25, giving all the info for the LAN
F-63© Copyright 1997, The University of New Mexico
LAN LSPs
R1.25
R1 R5 R2 R3 R4
R1
R1.25
R2
R1.25
R3
R1.25
R4
R1.25
R5
R1.25
R1.25R1 R2 R3 R4 R5
other LAN info, E.g. SAP
F-64© Copyright 1997, The University of New Mexico
Details of NLSP
• Three types of packets– LSP– Hello– Sequence Numbers Packet (SNP)
• LSP lists neighbors. DR generates on behalf of LAN (pseudonode)• Hello coordinates with neighbors• SNP summarizes LSP database. Partial SNP (PSNP) acks LSP(s).
Complete SNP (CSNP) gives all LSPs within a specified range.– PSNP used on pt-pt links as LSP ack– CSNP used on LAN by DR to summarize LSP database. No explicit acks to
specific LSPs. If CSNP indicates discrepancy, ask for missinb info, or transmit DR’s missing info
F-65© Copyright 1997, The University of New Mexico
Summarizing addresses
• How can you specify a bunch of network numbers compactly?– “all net numbers with 1st byte=5”– “all net numbers between 31b82cf1 and 378291fc”– “all net numbers that when masked with ff000000=5000000”
• IP uses (address, mask) pairs• I prefer prefixes. More compact, no temptation or
opportunity to do noncontiguous masks• First version of NLSP didn’t do summarizing, so
every net number had to be independently advertised
• Now NLSP has summarization capability
F-66© Copyright 1997, The University of New Mexico
Areas
• LISPS are only sent within an area• An area has a name consisting of up to 3 (net,
mask) pairs• It is best if all addresses in the area match one of
the area addresses, and no addresses outside the area match
• Purpose of area addresses:• To assure neighbors agree on area, so that areas
don’t accidentally merge• Used as default summary for area• Filtering of SAP and routes, and summarization of
network numbers, can be done at area boundaries
F-67© Copyright 1997, The University of New Mexico
Info Leaking Between Areas
• Original NLSP document said connect areas via RIP or static configuration!
• The right way: run multiple instances of NLSP on a router
• Only boundary routers need to be able to run multiple instances of NLSP
R1
R2
R1
R2
R
F-68© Copyright 1997, The University of New Mexico
Route Aggregation
• We’ve added the ability to summarize addresses into NLSP
• A summary looks like (1 byte length, 4 byte address) • Length is number of 1’s that would be in the mask if
it were a mask• A router on the boundary introduces a summary• A summary can be passed from area to area• The summary includes an “area-count” to limit how
far it spreads• Summaries work with filtering: “don’t advertise
anything of the form 5.*. Advertise the summary 5.*”
F-69© Copyright 1997, The University of New Mexico
Default Route
• Special case summary that matches everything• We’ve added default route to RIP
– network number -2– RIP router: if deist not reachable, but -2 is reachable, route towards -2
• NLSP has several ways of doing default:– LSP says “I am a level 2 router”– destination -2– zero length prefix
R1
R2
R3R4
backbone
F-70© Copyright 1997, The University of New Mexico
SAP Info
• LSP contains SAP information• Only one router (the one closest to
service) puts SAP info into LSP• The SAP info does not need to be
periodically broadcast, and only one router transmits it, so it saves bandwidth and memory
• Of course we still support endnodes that do SAP queries, and we generate SAP to RIP router neighbors
F-71© Copyright 1997, The University of New Mexico
Coexistence with RIP/SAP
• R1 takes all dests and services learned through LSPs in NLSP and reports each in a RIP update to R2. R1 takes all RIP/SAP info learned from R2 and reports those as “external destinations” in its LSP within NLSP.
• R1 can be configured to report default route to RIP, and will be configurable to report ranges instead of individual network numbers, into NLSP (but not into RIP)
RIP R2
R1NLSP
F-72© Copyright 1997, The University of New Mexico
Large Nets with NLSP
• LSP can report “I can reach this range of addresses”
• Implementation can run two instances of NLSP, so that areas can be linked through NLSP rather than through RIP.
R R1R2
F-73© Copyright 1997, The University of New Mexico
Basic topology:
• R1 tells backbone a range. Backbone just tells * to R1 (when in doubt send to me). R6 reports default route (-2) to RIP. R6 configured with a summary to report from RIP into NLSP cloud.
• Backbone less info --- range from each cloud
R5R1
R6
R3
R2
R4
backboneRIP
F-74© Copyright 1997, The University of New Mexico
When will we have “level 2” NLSP?
• Never. It’s not needed• The ability to do route summarization and leak info between
areas gives a very flexible and scalable topology
• More flexible and scalable than OSPF topology. OSPF limited to
areas connected by a single backbone
• We can connect little circles, have more levels of hierarchy,
multiple backbones, etc.
F-75© Copyright 1997, The University of New Mexico
Example
72*6* 52*
617* 527*
*
F-76© Copyright 1997, The University of New Mexico
Additional Flexibility
• Range option (length of prefix in bits, 4 byte address) contains field “area-count”
• Each time a range learned and passed on to another area, area-count is decremented
• If it reaches 0, it is not passed further• This allows connecting areas without using them as through-paths
5*
7*52*
784*527*
*
51*
72*
F-77© Copyright 1997, The University of New Mexico
Summary of NLSP
• NLSP is more efficient routing protocol than RIP
• It allows more hops• It coexists with RIP/SAP• It alleviates SAP overhead• The more routers converted to NLSP, the
lower the overhead• With route aggregation and area info
leaking, arbitrary number of levels of hierarchy
F-78© Copyright 1997, The University of New Mexico
Address Assignment
• Global– you get address from one organization and then you “own” it– this way you can hook Intranets together and addresses won’t collide– But addresses should be summarizable (not just unique)– IP now realizes addresses should be “rented”, not “owned”– People HATE renumbering (even thought IPX is a lot easier to
renumber than IP)
• Local – you assign addresses within your own net as you please. Renumbering
is necessary whenever merging with another net.
F-79© Copyright 1997, The University of New Mexico
IPX Address Registry
• Only recently has there been a registry of IPX addresses so you can get unique addresses
• So there’s zillions of little IPX intranets, with overlapping address space
• Easier to renumber than IP, but people still hate it• Mapping from IP to globally unique IPX:
IP
IPX
a b c d
0 a b C
F-80© Copyright 1997, The University of New Mexico
SPX
• “Sequenced Packet Exchange”, derived from XNS SPP• End-to-end reliable (Transport layer) protocol.• Functionally similar to TCP• But not as good! Window size of 1, no pkt size
negotiation (586 byte packets)• SPX-2 an improvement, but not trivial to replace SPX,
because API changed• APX-2 is compatible on the wire -- two nodes
communicate and if they can both speak SPX-2 they speak SPX-2, otherwise SPX
• SPX header after IPX header• Each msg is numbered, and if not ack’d it is
retransmitted
F-81© Copyright 1997, The University of New Mexico
SPX Packet Format
IPX header (pkt type=5)
Connection ctl
data stream type
source conn.ID
dest conn.ID
sequence #
ack #
allocation number
data
30
1
2
1
2
2
2
2
F-82© Copyright 1997, The University of New Mexico
SPX Fields
• Connection control: flags– bit #0: SPX-2 extended header (ignored by SPX)– 1: reserved (Xmit as 0, ignore on receipt)– 2: ignored by SPX, means “negotiate size” for SPX-2– 3: ignored by SPX, indicates this is SPX-2– 4: end of msg (user bit)– 5: ignored by SPX, “attention” in SPX-2– 6: send ack after this pkt (always 1 for SPX)– 7: System packet (does not consume seq #)
F-83© Copyright 1997, The University of New Mexico
More SPX Fields
• Data stream typeFE: end of connection. For graceful disconnectFF: acks end of connection00-7F: user-defined values. Can be used internally by the
application for submultiplexing, transaction code, etc.
• Connection Ids: each side assigns its own.Dest conn. ID set to FFFF on conn. Req
• Sequence number: independently assigned in each direction. Wraps to 0000 after FFFF
• Ack #: next pkt expected from other side
F-84© Copyright 1997, The University of New Mexico
More SPX Fields
• Allocation #:– highest seq # this side able to accept.– Most implementation announce # of buffers for IPX socket,
which is wrong (if multiple SPX connections sharing IPX socket).
– That’s why Novell’s SPX transmitter doesn’t take advantage of window size>1
• Negotiation Size– Only present in SPX-2– But even SPX-2 leaves it out of connection request (for SPX
compatibility)– After negotiation, still send test pkt– Routers will truncate or drop– Size is min (yours, other side’s, network’s)
F-85© Copyright 1997, The University of New Mexico
Window Size
• In SPX-2 can have window sizes bigger than 1
• server starts at 8• client starts at 3• based on internal heuristics, size
change
F-86© Copyright 1997, The University of New Mexico
NCP
• Special purpose reliable Transport protocol• Client requests. Server responds• Originally one pkt requests, one pkt response • If response too big for a packet, client had to break it into
multiple requests:– req first hunk of data: get back data+pointer– req data starting from pointer: returned more data plus next pointer,
etc.
• Then “packet burst” was added, wherein a long (up to 64K) multip-packet response is sent “all at once”
• It is rate based, (different from standard window with acks every few packets)
• Missing fragments are explicitly requested (rather than ack’ing received ones)
F-87© Copyright 1997, The University of New Mexico
NCP Packet Format (though it varies for
some calls)
IPX header (pkt type=17,
socket=451)
function code
sequence #
conn # low
task #
conn # hi
completion code
status flags
30
1
2
1
1
1
1
1
F-88© Copyright 1997, The University of New Mexico
Description of NCP Fields
• Function code one of: (1111=create service connection), (2222=service request), (3333=service response), (5555=destroy a service connection), (7777=packet burst), (9999=previous request still being processed)
• connection # should have been 2 bytes. They realized that too late. Set to 0 by client and assigned by server.
• Task # allows up to 255 tasks to share a single connection
• completion code nonzero indicates error• status flags: (bit 0=bad service), (2=no conn available),
(4=server down), (6=server has a broadcast msg pending for the client)
F-89© Copyright 1997, The University of New Mexico
NCP with Burst
IPX header (pkt type=17, socket=451)
function code=7777
flags
source conn id
dest conn #
send delay
burst seq #
ACK seq #
total burst
offset into burst of this data
packet size
# of fragment entries
missing fragment list
(4 byte file offset, 2 byte length
30
2
2
4
2
6n
4
2
4
4
2
4
2
F-90© Copyright 1997, The University of New Mexico
TCP/UDP over IPX
• Documented in RFC 1791• IPX pkt type 4, socket 9091 =TCP, socket
9092 =UDP• An additional header (called IPXF) is added
to allow IPX fragmentation. Using IPXF allows packets up to 64K
• Anything requiring fragmentation can run over IPXF
• IPXF uses socket 9093. The real socket is contained in the additional header
F-91© Copyright 1997, The University of New Mexico
IPXF
IPX header (socket-9093)
fragment offset
packet ID
destination socket
datagram length (in 8 octet units)
30
2
2
2
4
F-92© Copyright 1997, The University of New Mexico
IP/IPX Gateway
• A talks only IPX. Sees all Internet hosts as appearing on G’s IPX address. A establishes a TCP connection to G. G figures out the actual IP address of the destination, and opens a TCP connection to X. If the TCP port to X is n, G remembers that n goes with its IPX-TCP connection to A.
Internet (using IP)
X
IPX
AG
F-93© Copyright 1997, The University of New Mexico
Mobile IPX
• Mobile host: has software in it to make applications think its address is always a constant– finds MR– Asks for address from MR. Keeps MR informed when it moves
• Mobile router– advertises itself through SAP– assigns MH a permanent address– keeps track of MH’s current physical address– receives packets destined to MH– Redirects them to MH’s current physical address
• Correspondent Host: unaware that its’ talking to a MH rather than an ordinary IPX node
F-94© Copyright 1997, The University of New Mexico
Mobile IPX
• Let’s say MR’s internal net # is 6• MH has physical address, say, net.ID• Will be assigned a permanent address like 6.31• CH receives packets from source address 6.31.• CH sends too 6.31. MR receives and forwards to “net.ID”• IF MH moves to (net2.ID2), it informs MR• Mobility simpler withIPX than IP, since no need for foreign agent
(since in IPX MH can always easily get an address)
MR
MHCH
F-95© Copyright 1997, The University of New Mexico
NDS
• Similar to telephone directory• Partitioning (not all numbers in one book)• Hierarchical names (like file system)• Replication (same directory can be stored in multiple
locations)• Based on X.500• A partition is a set of directories in a connected
portion of the tree which must be replicated as a unit• One master replica• Multiple writable and read-only replicas• Replicas have to periodically synchronize
F-96© Copyright 1997, The University of New Mexico
Security
• Three types of crypto algorithms– secret key (one shared key)– public key (two keys per user, one public,
one kept private– message digest (irreversible hash)
F-97© Copyright 1997, The University of New Mexico
NetWare 3X Authentication
• A secret key scheme
• It’s slightly more complicated than that since “x” is really h(pwd, userID), and server needs to first tell client machine userID so that client machine can calculate x)
• Have to configure user and “x” at every server the user has rights to log into
“Alice”
Random #R
h(R,x Alice)
clientUser1
h(pwd1)=x1
User2
h(pwd2)=x2
F-98© Copyright 1997, The University of New Mexico
Packet Signatures
• Someone demo’d “session hijacking”• Somewhat unfairly, Netware got lots of bad
press for that• Solution was “packet signature”• Client and sever compute h(R, x, constant),
and use that as a “session key”• The “signature” is like a checksum, but it
depends on the beginning of the packet and the session key, so without knowing the session key you can’t hijack the session
F-99© Copyright 1997, The University of New Mexico
Public Key Authentication
• How does Alice know her private key?• How does Bob know Alice’s public key?
Alice BobAlice
R
R “signed” with Alice’s private key
Verify using Alice’s public key
F-100© Copyright 1997, The University of New Mexico
Getting Alice’s Private Key
• Alice can’t simply remember a 500 bit number • A secret key can be directly derived from the password,
but a private key had to be a very special number• Could carry it around on a floppy or smart card
(encrypted with password)• Could store it (encrypted) on a file on Alice’s
workstation• Could store it in a convenient place on the network (like
NDS) encrypted with Alice’s password• NetWare v4 stores it encrypted in NDS• To prevent off-line password guessing, WS has to prove
to NDS that the WS knows the user’s password before NDS will send the encrypted private key
F-101© Copyright 1997, The University of New Mexico
(somewhat simplified)Initial Login to NDS
Alice WS NDS
Name, pwd
Calculates S Alice
R
MD(S, R)
Encrypted private key
User
public key
{prv key{ pwd
MD (pwd)=S
F-102© Copyright 1997, The University of New Mexico
Less Simplified
WS NDSAlice
R, saltComputes
X=MD (pwd, salt)
Y=MD (X,R) {Y, R2}NDS’s pub keyVerifies Y
{encrypted priv key XOR R2} Y
F-103© Copyright 1997, The University of New Mexico
Login Steps
• Alice types her name and password to WS• WS proves to NDS that it knows Alice’s
password• NDS give WS Alice’s encrypted private key• WS decrypts private key with Alice’s password• WS turns Alice’s private RSA key into a
signature-only key K• WS forgets Alice’s password and RSA key• To log into server Bob, WS users K, Bob
verifies using Alice’s public key