© Copyright 1997, The University of New Mexico F-1 Introduction to NetWare Presented By Louella R....

F-1© Copyright 1997, The University of New Mexico

Introduction to NetWarePresented By

Louella R. Phillips


Introduction to NetWare

• History of NetWare– The first version of NetWare, called ShareNet, was in 1983.

– Developed by IBM shortly after the IBM personal computer was introduced.

– Developed so that microcomputers could share access to files stored on central file servers.

– NetWare is the most widely used network operating system because of its stability and speed.

– Novell has continued to improve NetWare by releasing many versions such as 4.11, 3.x and 2.x.


How does NetWare Connect your PC to the Network?

• NetWare uses special software called NetWare requester.

• NetWare requester resides on the PC rather than on a file server.

• The connection is established from the PC to the network. This process involves two steps: attaching, and logging in.– Attaching establishes a link between the PC and the file server.

– Logging in allows the user to access file servers and other network resources, such as shared printers.


How does NetWare Connect your PC to the Network (cont.) ?

• PC network adapter cards broadcast a request over the network cable system asking a file server to respond.

• Your PC is linked or attached to the first file server that answers.

• The NetWare requester stays in the memory of your PC and serves as the software link between the PC’s operating system and NetWare.

• NetWare requester next provides you with a way to log in to the network.


How can NetWare provide you with security ?

• Controlling Logins and Passwords– The administrator creates a login name for each user which permits them

to login to the server.

– The user will be required to use a password each time they login.

– Login is the first step to use the network resources, without the login name, your access to the network will be denied, second step is your password.

• Controlling Trustee Security and Rights – NetWare has features called trustee security which grants various levels

of control to access a directory.

– As trustee, the user can have access to files in a particular directory.

– Rights such as read, write, create, erase, etc.


NetWare makes the network easy to use

– NetWare makes file server disks look like local disks to your PC.

– NetWare MAP command lets you assign the drive letter of your choice to any disk, directory, or subdirectory on any file server that you are logged in to.

– NetWare allows you to create a login script that automatically sets up your drive.

– NetWare allows you to use all standard DOS and OS/2 commands on the file server disks for file manipulation and movement among directories.

– NetWare includes a powerful menu-building utility for DOS users, Menus are an excellent way to make programs and printers easy to use.

– NetWare uses Requester to play an important role in printing a document on the network by sending the print job to the file server as a print-job file instead of sending it to the workstation’s printer port.


Novell’s Windows NT Integration strategy

• Internetware Client for Windows NT.– Internetware allows the client with Windows NT 4.1, Windows NT

workstation 3.51 and 4.0, access to NetWare services such as printing, security, management, and messaging services through Novell’s Directory Service (NDS).

• Novell Workstation Manager.– Novell workstation manager allows you to manage Windows NT

workstation 3.51 and 4.0 user accounts through NDS. You do not have to maintain these user accounts in the Windows NT workstation Security Access Manager (SAM) database or the Windows NT server domain database. You can now create an NT workstation object in NDS and associate User, Group, or Organization objects with that object.



• Novell Application Launcher.– Novell Application Launcher(NAL) has been enhanced for use with

Windows NT workstation 3.51 and 4.0. Using the NetWare Administrator utility, you can create objects in the NDS tree to represent applications that are located on Internetware, NetWare 4, or Windows NT servers.

• Managewise Agents for Windows NT.– Managewise agents for Windows NT work with Managewise 2.1 to

integrate Windows NT servers and workstations with your overall network management system. These agents can collect real-time and long-term performance and alarm information about your Windows NT servers.



• GroupWise 5 for Windows NT.– GroupWise 5 has been enhanced to integrate with Windows NT server

3.51 and 4, including running on IntranetWare and Unix platforms.

– GroupWise 5 also provides integration with Microsoft Exchange clients, you can use GroupWise Message Server at the back end.

– GroupWise WebAccess allows you to access the GroupWise 5 services from a World-Wide-Web (WWW) browser, as well as allowing you to run IntranetWare WWW server and Windows NT WWW server.

• NDS for Windows NT.– Novell is implementing NDS natively on Windows NT server and plans to

release this product later this year, NDS is also being made available on various UNIX platforms.


Novell vs. NT

• NetWare Pros:– Centralized Management (one single graphical point of administration

for the entire network, NDS)

– Lower Administration Costs (an IDC study found NetWare 22% less expensive to administer than NT

– File and Print Services (PC Week published NetWare outperforms NT by 59% with loads above 30 clients, automatic file-by-file data compression, data migration, disk space, quotas for individual users, block suballocation, and high capacity storage systems support, as well as NDS print services. NT is missing all of these.


Novell vs. NT

• NT Pros:– Cost of OS and Client connections (NT is considerably less expensive not

only for the OS but also per user).

– Hardware Compatibility (NT has more drivers)

– Futuristic Issues (NT has more tools and applications being developed)

• Issues of stability, installation and upgrades become cloudy and involve many variables such as:– level of hardware

– knowledge of Administrators


Factors Convincing Customers to buy

NetWare.• Novell’s Overall performance

– Novell’s customers gave high marks for product effectiveness, product price, and ease of doing business.

• Novell’s Sales and Marketing Strategy.– Novell’s sales and marketing strategy focused on the

following:1 Their marketing sales and marketing information

available on the Internet, NetWare user groups, and at trade shows.

2 Novell provides educational training courses about their product at a low price

3 Advertising such as trade publications, web publications, and web advertising


Factors Convincing Customers to buy

NetWare.• Your Product Selection Process.

– NetWare performance.– Its Flexibility and Stability.– Novell’s reputation as a market leader, technology

innovator, and developer of quality products.– NetWare meets the needs of future computing.

• Your Purchasing Plans– 95% of the customers said they will purchase NetWare

because of its reliability, security, and ease of use.– 83% of the customers plan to purchase or upgrade to

Intranet Ware or another version of NetWare within the next 12 months for the above reasons.


What makes Novell an Industry Leader?

• Novell has $1 billion in cash, $ 1 billion a year in revenue, almost 5,000 employees worldwide, and a very strong brand.

• NetWare has a user base of 65 million plus. GroupWise has shot up to more than 8 million users.

• Novell is a viable company and knows networking.

• Novell’s reputation as a market leader, technology innovator, and developer of quality products.


What are Novell’s advertising plans for the next six months

• Novell is focusing on advertising.• The new marketing manager tends to be

focused on publications that make a difference to their customers such as trades publications, various web publications, and web advertising.

• Novell’s new marketing managers are to be more engaged with industry analysts, consultants, and trade press editors to help them make up a lot of the opinion leaders about Novell in general.


What are Novell’s advertising plans for the next six months

(cont.)• New management released that the most

important things about advertising, is consistency to target their customer.

• New management believes that Novell understands networking very well, therefore releasing new products on time, such as Border-Manager and GroupWise(5.2), makes them very competitive in the market.

• Talking to the developers and customers about their products can develop their marketing plan.


• Netware uses the IPX protocol to send and receive information on the network.

• IPX is provided by the IPXODI.COM driver. • IPX is a protocol similar to IP from the TCP\IP

world.• It is a datagram protocol, meaning that it

does not provide for much error checking.• It sends a packet and assumes that it was

received.

IPX Protocol


IPX Protocol and Routing

• Network addresses are assigned to a network by a router or similar device.

• A network address in the IPX world is 8 hexadecimal digits.

• Hexadecimal is denoted by a leading 0x• In a single network with no routers your

network address would be 0x00000000 by default.


IPX/ODI Stack

• Older versions of NetWare used the IPX protocol in a single driver which had the network interface card driver linked into it.

• To provide greater functionality, Novell developed the ODI stack which is divided into layers.

• The lower layer is the ODI LAN driver, also known as the MLID(eg. NE2000.com).


IPX/ODI Stack (cont.)

• This driver is responsible for providing access to the hardware itself.

• Depending on your network, you may want to select from four different frame types:– Ethernet_802.3 (old default)– Ethernet_802.2 (new default)– Ethernet_II– Ethernet_SNAP



• The next layer up is the ODI Link Support Layer (LSL).

• Though it is the second layer up, it is loaded first in the STARTNET.BAT to give the LAN driver a place to link.

• The LSL enables the workstation to load several different communication protocols and use them simultaneously.



• On top of LSL is the protocol stack used by Netware, IPX.

• It is loaded as part of the IPXODI.COM driver.

• It provides IPX\SPX services to applications that resides above it and hooks into the LSL to obtain access to the hardware.

• On top of IPX are the applications that use it. They include SERVER.EXE, CLIENT.EXE, NET.EXE, etc.


• IPX: Addresses, data packets• RIP, SAP, NLSP• NCP, Packet burst• TCP over IPX• NDS• IP/IPX Gateway/Firewall• Mobile IPX• NetWare Network Security


What is IPX?

• “Internetworking Packet Exchange”• Derived from Xerox’s SPX• Data packet format and addressing• Performs same function as IP

(connectionless, best effort, routable protocol


The story begins with the

Data Link Layer• LANS (e.g., Ethernet) are multiaccess link• To transmit on a LAN, you need a header which contains a

source and destination address• A “routable” packet on Ethernet has two

headers: Ethernet and IPX (or IP, or Appletalk, or CLNP, etc.)• The LAN source and destination are ultimate source and

destination

Ethernet hdr IPX hdr data

m q

D

R2

z

S

R2


802 Addresses

• Assigned in blocks of 2 • Given 23 byte constant (Organizationally Unique

Identifier), plus group/individual bit• Address all 1’s intended to mean “broadcast”, i.e., “everyone”, which is nonsense. Really each

protocol should use its own multicast address to mean all nodes that speak that protocol

group/individualglobally/locally assigned

OUI


Multi-LingualEnvironments

• You cans speak lots of things (IP, CLNP, IPX, Appletalk, etc.)

• Someone hands you a pile of bits. What is it? Maybe we were careful -- yeah, right Maybe we were lucky -- yeah, right

• Conclusion: not enough information in the packet header to differentiate -- need an extra field in the data link header to say what it is protocol type: well-known (globally administered) values, one

field in header SAP (service access point) or socket: locally administered, on

for dest, on for source Don’t confuse “SAP” with IPX’s Service Advertisement

Protocol!


Packet HDRs on CSMA/CD

Ethernet

pream dest dest ln dsap saap ctl data fcs

pream dest dest pt data fcs

8 66 2 46-1500 4

8 6 6 2 1 1 1 43-1497 4

802.3

802.3

Format of SAP

G/I G/L


How the SAPs work

• Notice the “global/local” bit -- those SAPs are globally assigned! If you are a very privileged protocol, and obtain one of these, you’d set DSAP=SSAP= your assigned SAP value

• How does it work if you’re not a privileged protocol? Uh…• World class kludge -- get a SAP value assigned to mean

“underprivileged protocol”. Called SNAP SAP (SubNetwork Access Protocol), and it =aa hex.

• If DSAP=SSAP=aa hex, then after CTL is a protocol type field

• The protocol types 5 bytes long• Convention: 0.0.0protocol type allows 2 octet Ethertypes to

fit into 5 octets• Confused? You’re in good company


IPX

• Note : checksum isn’t implemented and is set to FFFF hex. Good thing. Why? See next slide.

2211462462

22

11

4

62

46

2

checksum

pkt length

transport ctl (hop ct)

pkt type

dest net

dest node

dest socket

src net

src node

src socket


IPX on CSMA/CD

• Ethernet format. Protocol type=8137 hex• Raw 802.3 --- leave out all multiplexing! Start IPX packet

where DSAP should be, so checksum covers DSAP and SSSAP• SNAP ---DSAP=SSAP=SNAP (aa hex), protocol type=0.0.081.37• 802.2 --- DSAP=LSAP=E0 hexCope with multiple formats by treating LAN as multiple logical

LANs, and routers translate formats

A

R

b A

R

b


Ethernet

dst src 8137 IPX packet

“Raw 802.3”

6 6 2

6 6 2

802.2 format

dest src ln EO EO 3 IPX packet

dest src ln EO EO 3 0.0.0.81.37 IPX packet

SNAP format

6 6 2 1 1

1

1 43-1497

43-14976 6 2 1 1 1 5

dst src Inth IPX packet


Defined Packet Types

0 -- unknown packet type1 -- RIP2 -- reserved (was Echo protocol)3 -- reserved (was Error handler)4 -- “packet exchange packet” used by most things (like SAP, TCP over IPX5 -- SPX17 -- NCP20 -- Flooded (used for Netbios)


Assigned Sockets

451 (hex) NCP452 SAP453 RIP455 Netbios456 Diagnostics4000-7FFF Dynamically assigned8000-FFFF Novell assigned9001 NLSP9004 IPX Wan version 2


Addresses

• 802 addresses have no geographic hints --like routing to social security number -- known as “flat address”

• Generic hierarchical address: locator.node

• IP, IPX, Appletalk: locator is specific to a LAN• CLNP, DECnet Ph4, (maybe IPv6) locator is entire

region called an “area” -- could be single LAN but can be bigger

locator node


4 6

4 bytes

2 1

up to 14 6

8 8

Comparative Addresses

Boundary depends on mask

IP

2 bytes total 6 bits area 10 bits node

IPX

DECnet Ph IV

Appletalk

CLNP

IPv6 ?


IP

• Each node configured with (address, mask)

• Can tell if someone is no same LAN If:(your addr. AND mask) = (dst.addr AND mask)

• IF on same LAN, still need LAN address• Use ARP protocol -- broadcast “who has

IP address…”, target replies (everyone else ignores)


IPX

Endnodes autoconfigure based on IEEE addressAsk router for 4 byte network numberFill in IEEE address in bottom 6 bytesSomeone is on you LAN if net # matchesNo ARP! Use bottom 6 bytes as IEEE addressBetter than IP:

more net #s autoconfigures No ARP overhead

So why this misconceptions that IPX is “LAN-only”, “doesn’t scale”, etc.?


Endnode Operation

• Ask routers (via broadcast DL address) to get LAN # in the beginning

• To talk to N.X, if N is your net #, talk directly (using DL address x).• To talk to N.x where N is not your net, ask

routers “who can get me to net N?”• Routers that have a path to N (other than on

link from which query arrived) respond• Use that router to get to N


Internal Network Number

S has two possible addresses: 57.x and 29.yIf S chooses 57.x C, will ask routers for “57”both R and S respondIf C chooses R, packets go extra hopSolution: Internal network number

R S

C

x

y

net #57

net #29


Internal Network Number

• S chooses address 91.1• S will respond to RIP query

R S

C

x

y

net #57

net #29

“net” 91


New Topic: Routing Algorithms

• Want to build “forwarding database”: table of (dest, nbr)• Two types of routing alg: distance vector (e.g., RIP), link

state (e.g., NLSP)


Distance Vector Routing

• You know the following:– your own ID– how many cables hanging off you box– the cost of going through that cable to what ever is at the end

• Purpose of routing algorithm: come up with forwarding database, telling you which neighbor to send to for each possible destination

• Do this by exchanging distance vectors, which tells transmitters distance to each destination

cost 2cost 7cost 3cost 2#j#m#n#k

cost 2

cost 7cost 3

cost 2

#j #m

#n#k


cost 2

cost 7cost 3

cost 2

#j #m

#n#kYou are destination #4 dest # 1 2 3 4 5 6 7 8 9 10 11

12 3 15 3 12 5 6 18 0 7 15

Distance vector received from cable j

5 8 3 2 10 7 4 20 5 0 15

0 5 3 2 19 9 5 22 2 4 7

6 2 0 7 8 5 8 12 11 3 2

Distance vector received from cable k

Distance vector received from cable m

Distance vector received from cable n

your own calculated distance vector

2 6 5 0 12 8 6 19 3 2 9

your forwarding table

m j m 0 k j k n j k n

3

2

2

7


Looping Problem

A B C

V X K J S W B Z

slow linkD

slow link

D


Split Horizon

• Alleviates (does not solve!) looping problem • Many variants• Don’t announce path to D on link L if some other router on L

is announcing a better path on L• If only keep single “best path”, then the link L on which you

forward to D is the only one split horizon applies

A B CSplit horizon solves

AB

C

DSplit horizon does not solve

3-rtr loop


IPX-RIP

• Not the best possible distance vector protocol• IPX’s RIP is similar to IP’s RIP• Send distance vector periodically (60 sec)• Only remember best path. Forget it if not reminded (180 sec)• IPX-RIP has two metrics: hops, and ticks (supposedly delay, units of

1/18ths of sec):

• Best path used ticks. Hops for count-to-infinity (infinity=16)• events: time, route reported (> = or <)

G

A

B

X

6

5

12

3

7

7

17

3

1

1

2

1

d

a

c

a

1

2

37

15

dest hops (ticks) DL addport age


IPX RIP

• First comes LAN header, (p-type or SAP=IPX)• Then IPX hdr, pkt type=1, socket=453 Hex• Then RIP info. Up to 50 nets per packet

• In query: net=FFFFFFFF means “all”

1=req, 2=respthese three

fields repeat up to 50 times

final net # announcement

operation

net #

hops

ticks

net #

hops

ticks

42

2

4

22

2 bytes


“Default Route”

• Original version of IPX : if path to D not known, drop packet• Then “default route” got added• Net #-2 (FF FF FF FE) means “default”• If don’t have path to D, but have path to -2, then route towards -2

• R2 announces to R1 that it can reach “-2” • Can configure filtering rules per link, and where to advise -2

backboneR2

R1


IPX Packet Type 20

• Receive, on LAN 97: packet type 20 with path: 6,71,8,11,97• Forward onto LAN 22:6,71,8,11,97,22• Forward onto LAN 15:6.71.8.11.97.15• Don’t forward onto LAN 8 • Exponential # of pkts

R 228

97

15


Compatible Fix

• Called “reverse path forwarding”• Only accept packet type 20 from source

S from neighbor N if N is best path towards S

• Changes exponential into n squared• Each router only floods packet once


SAP (Service Advertisement Protocol

• Nothing to do with Data Link SAP for multiplexing!!!• Similar to RIP, but advertises service names rather than net #s• Up to 7 services per SAP packet

operation

Service typeService name

IPX full addresshops


IPX full addresshops

22

22

2

48

1248

12


Fascinating SAP Facts

• Operations:1 = query for all of a certain type (or type FFFF)2 = response to 1 or periodic broadcast3 = get nearest server request4 = get nearest server reply

• “Nearest server” wasn’t well specified -- now specified that it is based on RIP ticks

• Split horizon wasn’t well specified -- now based on SAP hops

• Service types: 3=print queue, 4=file server, 5=job server, 7=print server, 9=archive server,24=remote bridge sever,47=advertising print sever


Filtering SAP

X

S1

R1

Suppose you want to filter, but still give authorized users access to everything

R1 filters all but S1

X can log into S1 to find other services


Bindery

• Database on Server in NetWare 2 and 3x• Contains all services learned from SAP (and aged if

not refreshed)• Contains configured entries• Scanned by client using NCP “scan bindery object”• Specify service type (or FFFF) and name (which can

contain wildcard * and/or?)• Another problem: Not all servers the same.

Sometimes “preferred server” not reachable from “nearest”. Also, pretty silly to get “nearest” and then query bindery for preferred.

• Result: more specific SAP query was added recently


More Specific SAP Query

• Two queries 12(decimal) for “all”, and 14. For “nearest”• Response to 12 is 13. Response to 14 is 15• Responses have same format as today’s Requests (12 and

14) have following format:

• All fields can be specific, partially, or fully wildcarded

operation


Net #Net mask


Net #Net mask

22

42

4

48

448

4


NLSP

• Link State routing protocol• Almost the same as IS-IS. Similar to

OSPF.• Replaces RIP and SAP, but is compatible

with RIP/SAP routers• Endnodes can’t tell the difference (NLSP

still answers RIP and SAP queries)


Link State Routing

• Meet your neighbors• Construct Link State Packet (LSP)

– who you are– list of (neighbor, cost) pairs

• Broadcast the LSP to all routers• Store latest LSP from every other node• Compute routes

– Edsgar Dijkstra’s algorithm1 Put (SELF,0) on tree as Root2 Look at LSP of node just placed on tree. If for any node N the cost is best

path of any found so far, add (N,c) to tree under N with dotted line3 Make shortest dotted line solid. Go to 2.


Example Dijkstra Calculation

A B C

D E F G

6

2

2

2

2

14

15

A

B/6

D/2

B

A/6

C/2

E/1

C

B/2

F/2

G/5

D

A/2

E/2

E

B/1

D/2

F/4

F

C/2

E/4

G/1

G

C/5

F/1

B(2)

C(0)

F(2)

G(5)

B(2)

C(0)

G(5)

F(2)

E(4)G(3)

B(2)

C(0)

F(2)

G(5)


B(2)

C(0)

E(3)

F(2)

E(4)G(3)A(8)

B(2)

C(0)

E(4)

F(2)

G(3)

B(2)

C(0)

E(3)

F(2)

G(3)A(8)

D(5)

B(2)

C(0)

E(3)

F(2)

G(3)A(8)

D(5)

B(2)

C(0)

E(3)

F(2)

G(3)A(8)

D(5)

B(2)

C(0)

E(3)

F(2)

G(3)A(8)

D(5)

B(2)

C(0)

E(3)

F(2)

G(3)A(8)

D(5)

A(7)


Meeting your Neighbors

• Pt-pt link: Say who you are. Negotiate protocol (NLSP or RIP), measures delay/throughput and calculate costs, client can be assigned address

• LAN– multicast Hello– List other routers you’ve heard (check 2-way

connectivity)– Elect “Designated Router)


Designated Router

• Wasteful if every router on LAN has big LSP describing LAN (router nbrs, services, etc.)

• DR names the LAN (its 6 byte ID plus 1 byte), say FOO.25

• Routers on LAN simply claim to be connected to FOO.25

• DR sends an additional LSP from FOO.25, giving all the info for the LAN


LAN LSPs

R1.25

R1 R5 R2 R3 R4

R1

R1.25

R2

R1.25

R3

R1.25

R4

R1.25

R5

R1.25

R1.25R1 R2 R3 R4 R5

other LAN info, E.g. SAP


Details of NLSP

• Three types of packets– LSP– Hello– Sequence Numbers Packet (SNP)

• LSP lists neighbors. DR generates on behalf of LAN (pseudonode)• Hello coordinates with neighbors• SNP summarizes LSP database. Partial SNP (PSNP) acks LSP(s).

Complete SNP (CSNP) gives all LSPs within a specified range.– PSNP used on pt-pt links as LSP ack– CSNP used on LAN by DR to summarize LSP database. No explicit acks to

specific LSPs. If CSNP indicates discrepancy, ask for missinb info, or transmit DR’s missing info


Summarizing addresses

• How can you specify a bunch of network numbers compactly?– “all net numbers with 1st byte=5”– “all net numbers between 31b82cf1 and 378291fc”– “all net numbers that when masked with ff000000=5000000”

• IP uses (address, mask) pairs• I prefer prefixes. More compact, no temptation or

opportunity to do noncontiguous masks• First version of NLSP didn’t do summarizing, so

every net number had to be independently advertised

• Now NLSP has summarization capability


Areas

• LISPS are only sent within an area• An area has a name consisting of up to 3 (net,

mask) pairs• It is best if all addresses in the area match one of

the area addresses, and no addresses outside the area match

• Purpose of area addresses:• To assure neighbors agree on area, so that areas

don’t accidentally merge• Used as default summary for area• Filtering of SAP and routes, and summarization of

network numbers, can be done at area boundaries


Info Leaking Between Areas

• Original NLSP document said connect areas via RIP or static configuration!

• The right way: run multiple instances of NLSP on a router

• Only boundary routers need to be able to run multiple instances of NLSP

R1

R2

R1

R2

R


Route Aggregation

• We’ve added the ability to summarize addresses into NLSP

• A summary looks like (1 byte length, 4 byte address) • Length is number of 1’s that would be in the mask if

it were a mask• A router on the boundary introduces a summary• A summary can be passed from area to area• The summary includes an “area-count” to limit how

far it spreads• Summaries work with filtering: “don’t advertise

anything of the form 5.*. Advertise the summary 5.*”


Default Route

• Special case summary that matches everything• We’ve added default route to RIP

– network number -2– RIP router: if deist not reachable, but -2 is reachable, route towards -2

• NLSP has several ways of doing default:– LSP says “I am a level 2 router”– destination -2– zero length prefix

R1

R2

R3R4

backbone


SAP Info

• LSP contains SAP information• Only one router (the one closest to

service) puts SAP info into LSP• The SAP info does not need to be

periodically broadcast, and only one router transmits it, so it saves bandwidth and memory

• Of course we still support endnodes that do SAP queries, and we generate SAP to RIP router neighbors


Coexistence with RIP/SAP

• R1 takes all dests and services learned through LSPs in NLSP and reports each in a RIP update to R2. R1 takes all RIP/SAP info learned from R2 and reports those as “external destinations” in its LSP within NLSP.

• R1 can be configured to report default route to RIP, and will be configurable to report ranges instead of individual network numbers, into NLSP (but not into RIP)

RIP R2

R1NLSP


Large Nets with NLSP

• LSP can report “I can reach this range of addresses”

• Implementation can run two instances of NLSP, so that areas can be linked through NLSP rather than through RIP.

R R1R2


Basic topology:

• R1 tells backbone a range. Backbone just tells * to R1 (when in doubt send to me). R6 reports default route (-2) to RIP. R6 configured with a summary to report from RIP into NLSP cloud.

• Backbone less info --- range from each cloud

R5R1

R6

R3

R2

R4

backboneRIP


When will we have “level 2” NLSP?

• Never. It’s not needed• The ability to do route summarization and leak info between

areas gives a very flexible and scalable topology

• More flexible and scalable than OSPF topology. OSPF limited to

areas connected by a single backbone

• We can connect little circles, have more levels of hierarchy,

multiple backbones, etc.


Example

72*6* 52*

617* 527*

*


Additional Flexibility

• Range option (length of prefix in bits, 4 byte address) contains field “area-count”

• Each time a range learned and passed on to another area, area-count is decremented

• If it reaches 0, it is not passed further• This allows connecting areas without using them as through-paths

5*

7*52*

784*527*

*

51*

72*


Summary of NLSP

• NLSP is more efficient routing protocol than RIP

• It allows more hops• It coexists with RIP/SAP• It alleviates SAP overhead• The more routers converted to NLSP, the

lower the overhead• With route aggregation and area info

leaking, arbitrary number of levels of hierarchy


Address Assignment

• Global– you get address from one organization and then you “own” it– this way you can hook Intranets together and addresses won’t collide– But addresses should be summarizable (not just unique)– IP now realizes addresses should be “rented”, not “owned”– People HATE renumbering (even thought IPX is a lot easier to

renumber than IP)

• Local – you assign addresses within your own net as you please. Renumbering

is necessary whenever merging with another net.


IPX Address Registry

• Only recently has there been a registry of IPX addresses so you can get unique addresses

• So there’s zillions of little IPX intranets, with overlapping address space

• Easier to renumber than IP, but people still hate it• Mapping from IP to globally unique IPX:

IP

IPX

a b c d

0 a b C


SPX

• “Sequenced Packet Exchange”, derived from XNS SPP• End-to-end reliable (Transport layer) protocol.• Functionally similar to TCP• But not as good! Window size of 1, no pkt size

negotiation (586 byte packets)• SPX-2 an improvement, but not trivial to replace SPX,

because API changed• APX-2 is compatible on the wire -- two nodes

communicate and if they can both speak SPX-2 they speak SPX-2, otherwise SPX

• SPX header after IPX header• Each msg is numbered, and if not ack’d it is

retransmitted


SPX Packet Format

IPX header (pkt type=5)

Connection ctl

data stream type

source conn.ID

dest conn.ID

sequence #

ack #

allocation number

data

30

1

2

1

2

2

2

2


SPX Fields

• Connection control: flags– bit #0: SPX-2 extended header (ignored by SPX)– 1: reserved (Xmit as 0, ignore on receipt)– 2: ignored by SPX, means “negotiate size” for SPX-2– 3: ignored by SPX, indicates this is SPX-2– 4: end of msg (user bit)– 5: ignored by SPX, “attention” in SPX-2– 6: send ack after this pkt (always 1 for SPX)– 7: System packet (does not consume seq #)


More SPX Fields

• Data stream typeFE: end of connection. For graceful disconnectFF: acks end of connection00-7F: user-defined values. Can be used internally by the

application for submultiplexing, transaction code, etc.

• Connection Ids: each side assigns its own.Dest conn. ID set to FFFF on conn. Req

• Sequence number: independently assigned in each direction. Wraps to 0000 after FFFF

• Ack #: next pkt expected from other side


More SPX Fields

• Allocation #:– highest seq # this side able to accept.– Most implementation announce # of buffers for IPX socket,

which is wrong (if multiple SPX connections sharing IPX socket).

– That’s why Novell’s SPX transmitter doesn’t take advantage of window size>1

• Negotiation Size– Only present in SPX-2– But even SPX-2 leaves it out of connection request (for SPX

compatibility)– After negotiation, still send test pkt– Routers will truncate or drop– Size is min (yours, other side’s, network’s)


Window Size

• In SPX-2 can have window sizes bigger than 1

• server starts at 8• client starts at 3• based on internal heuristics, size

change


NCP

• Special purpose reliable Transport protocol• Client requests. Server responds• Originally one pkt requests, one pkt response • If response too big for a packet, client had to break it into

multiple requests:– req first hunk of data: get back data+pointer– req data starting from pointer: returned more data plus next pointer,

etc.

• Then “packet burst” was added, wherein a long (up to 64K) multip-packet response is sent “all at once”

• It is rate based, (different from standard window with acks every few packets)

• Missing fragments are explicitly requested (rather than ack’ing received ones)


NCP Packet Format (though it varies for

some calls)

IPX header (pkt type=17,

socket=451)

function code

sequence #

conn # low

task #

conn # hi

completion code

status flags

30

1

2

1

1

1

1

1


Description of NCP Fields

• Function code one of: (1111=create service connection), (2222=service request), (3333=service response), (5555=destroy a service connection), (7777=packet burst), (9999=previous request still being processed)

• connection # should have been 2 bytes. They realized that too late. Set to 0 by client and assigned by server.

• Task # allows up to 255 tasks to share a single connection

• completion code nonzero indicates error• status flags: (bit 0=bad service), (2=no conn available),

(4=server down), (6=server has a broadcast msg pending for the client)


NCP with Burst

IPX header (pkt type=17, socket=451)

function code=7777

flags

source conn id

dest conn #

send delay

burst seq #

ACK seq #

total burst

offset into burst of this data

packet size

# of fragment entries

missing fragment list

(4 byte file offset, 2 byte length

30

2

2

4

2

6n

4

2

4

4

2

4

2


TCP/UDP over IPX

• Documented in RFC 1791• IPX pkt type 4, socket 9091 =TCP, socket

9092 =UDP• An additional header (called IPXF) is added

to allow IPX fragmentation. Using IPXF allows packets up to 64K

• Anything requiring fragmentation can run over IPXF

• IPXF uses socket 9093. The real socket is contained in the additional header


IPXF

IPX header (socket-9093)

fragment offset

packet ID

destination socket

datagram length (in 8 octet units)

30

2

2

2

4


IP/IPX Gateway

• A talks only IPX. Sees all Internet hosts as appearing on G’s IPX address. A establishes a TCP connection to G. G figures out the actual IP address of the destination, and opens a TCP connection to X. If the TCP port to X is n, G remembers that n goes with its IPX-TCP connection to A.

Internet (using IP)

X

IPX

AG


Mobile IPX

• Mobile host: has software in it to make applications think its address is always a constant– finds MR– Asks for address from MR. Keeps MR informed when it moves

• Mobile router– advertises itself through SAP– assigns MH a permanent address– keeps track of MH’s current physical address– receives packets destined to MH– Redirects them to MH’s current physical address

• Correspondent Host: unaware that its’ talking to a MH rather than an ordinary IPX node


Mobile IPX

• Let’s say MR’s internal net # is 6• MH has physical address, say, net.ID• Will be assigned a permanent address like 6.31• CH receives packets from source address 6.31.• CH sends too 6.31. MR receives and forwards to “net.ID”• IF MH moves to (net2.ID2), it informs MR• Mobility simpler withIPX than IP, since no need for foreign agent

(since in IPX MH can always easily get an address)

MR

MHCH


NDS

• Similar to telephone directory• Partitioning (not all numbers in one book)• Hierarchical names (like file system)• Replication (same directory can be stored in multiple

locations)• Based on X.500• A partition is a set of directories in a connected

portion of the tree which must be replicated as a unit• One master replica• Multiple writable and read-only replicas• Replicas have to periodically synchronize


Security

• Three types of crypto algorithms– secret key (one shared key)– public key (two keys per user, one public,

one kept private– message digest (irreversible hash)


NetWare 3X Authentication

• A secret key scheme

• It’s slightly more complicated than that since “x” is really h(pwd, userID), and server needs to first tell client machine userID so that client machine can calculate x)

• Have to configure user and “x” at every server the user has rights to log into

“Alice”

Random #R

h(R,x Alice)

clientUser1

h(pwd1)=x1

User2

h(pwd2)=x2


Packet Signatures

• Someone demo’d “session hijacking”• Somewhat unfairly, Netware got lots of bad

press for that• Solution was “packet signature”• Client and sever compute h(R, x, constant),

and use that as a “session key”• The “signature” is like a checksum, but it

depends on the beginning of the packet and the session key, so without knowing the session key you can’t hijack the session


Public Key Authentication

• How does Alice know her private key?• How does Bob know Alice’s public key?

Alice BobAlice

R

R “signed” with Alice’s private key

Verify using Alice’s public key


Getting Alice’s Private Key

• Alice can’t simply remember a 500 bit number • A secret key can be directly derived from the password,

but a private key had to be a very special number• Could carry it around on a floppy or smart card

(encrypted with password)• Could store it (encrypted) on a file on Alice’s

workstation• Could store it in a convenient place on the network (like

NDS) encrypted with Alice’s password• NetWare v4 stores it encrypted in NDS• To prevent off-line password guessing, WS has to prove

to NDS that the WS knows the user’s password before NDS will send the encrypted private key


(somewhat simplified)Initial Login to NDS

Alice WS NDS

Name, pwd

Calculates S Alice

R

MD(S, R)

Encrypted private key

User

public key

{prv key{ pwd

MD (pwd)=S


Less Simplified

WS NDSAlice

R, saltComputes

X=MD (pwd, salt)

Y=MD (X,R) {Y, R2}NDS’s pub keyVerifies Y

{encrypted priv key XOR R2} Y


Login Steps

• Alice types her name and password to WS• WS proves to NDS that it knows Alice’s

password• NDS give WS Alice’s encrypted private key• WS decrypts private key with Alice’s password• WS turns Alice’s private RSA key into a

signature-only key K• WS forgets Alice’s password and RSA key• To log into server Bob, WS users K, Bob

verifies using Alice’s public key

© Copyright 1997, The University of New Mexico F-1 Introduction to NetWare Presented By Louella R....

Documents

Transcript of © Copyright 1997, The University of New Mexico F-1 Introduction to NetWare Presented By Louella R....