1

Yelena YeshaOlga Streltchenko

WAP slides by Anupam Joshi

Networking Technologies

2

Presentation Overview

Internet ProtocolsWAPCaching and ProxiesDNSFirewallsDirectory and Discovery Services

3

Internet Protocols

Originally developed to support simple wide-area applications (ftp, e-mail).

Scaled up very well to support more sophisticated distributed applications.

Standardization of TCP/IP.Exceptions:

WAP for wireless applications on portable devices; Special protocols to support MM streaming

applications.

4

IP AddressingScheme for addressing and routing IP packets.1978-82 TCP/IP standardization provided for

232 or approximately 4 billion hosts.The Internet growth outstripped the

predictions.The address space allocation has been

inefficient. IP address=network identifier+host identifier

Written as Classes: A, B, C, D and E. D is reserved for multicast communication, E –for

future uses.

5

IP Addressing (cont’d)

A: 224 hosts on each subnet, national wide area networks B: more than 255 computers on a subnet, big companies. C: other network operators

1

01

011

0111

01111

Network ID, 7bitsClass AClass B

Network ID, 14 bits

Network ID, 21 bits

Host ID, 24 bits

Host ID, 16 bits

Host ID, 8 bits

Multicast

unused

Class CClass D Class E

6

IP Addressing Drawbacks and SolutionsDrawbacks:

If a computer is connected to more than one network it needs more than one IP address.

Organizations cannot reliably predict their growth and tend to over-budget;

Outcome: exhaustion of class B addresses. IP address is susceptible to IP spoofing, or

counterfeiting of the source address in the IP header.Denial-of-service attacks by placing the destination IP address

in the target address field (remember Feb 2000?).

Solutions: Aggressive: IPv6 with its 128-bit address fields; Use of mask fields and CIDR (classless inter-domain

routing).

7

IP Protocol Provides an unreliable or best-effort delivery

service Only checksum is the header checksum.

IP layer Puts IP datagrams into network packets suitable for

transmission in the underlying network;E.g., Ethernet.

When the datagram is longer than MTU of the underlying network, it is broken into smaller segments and reassembled at the destination.

Must insert “physical” network address of the message destination if necessary;

Depends on the underlying network technology, i.e., Ethernet requires and Ethernet address for the host on the local Ethernet.

8

Network Topology Revisited

The Internet Backbone Super-high-bandwidth link between smaller

networks like intranets; consists of multiple networks operated by multiple

companies, like UUnet, AT&T, SprintLink, Quest, etc.;

These networks come together at various peering points.

Autonomous system (AS): conceptual partition of the topological map of the internet. Subdivide into areas; Example: intranets of big organizations.

9

Routing protocols RIP1: distance-vector algorithm.

Convergence problems. RIP2: amendment of of RIP1 to accommodate

CIDR and authentication of IP packets, improve multicast routing.

OSPF: open-shortest-path-first. Better convergence than the one exhibited by RIP.

Incremental adoption of better routing algorithms. For routers to cooperate they need to run the

same routing algorithm. For this purpose topological areas have been

defined: the same protocol is used within an area.

10

Overcoming the Problem of the Internet Growth Default router

To prevent routing table size explosion only partial information is kept.

Routers closer to backbones have more complete tables.

The default entry specifies a route to be used for all IP packets whose destination is not included in the routing table.

CIDR Allocates a batch of contiguous class C IP address to a

subnet requiring more than 255 address; Allows to subdivide class B address space for allocation

of multiple subnets; This is achieved by of a mask field by routing tables.

A bit pattern that selects a portion of IP address to be compared with the routing table entry.

11

IP version 6 A more permanent solution to the problem of the

Internet growth. Address space: 2128

Factor in inefficiencies of address allocation and still get about 1000 IP addresses per m2.

Routing speed: the complexity of the header is reduced.

Real-time and other special services: the header includes the priority and flow control fields. The use of these fields will depend on major

improvements in the infrastructure (hardware) and suitable method of allocating and arbitrating resources.

12

IP version 6 (cont’d)Future evolution: next header field, which

defines the type of an extension header that is included in the packet.

Multicast and anycast: IPv6 supports anycast, or delivery to at least to one of the hosts among the relevant addresses.

Security: IPv6 implements authentication and encrypted security payload extension header types. Equivalent to providing a secure channel; Means that the payload is encrypted and/or

digitally signed.

13

Mobility and IP

Dynamic Host Configuration Protocol (DHCP) Designed to support the ability of a mobile

device to maintain simple access to services; Assigns a temporary IP address to the device.

To provide permanent access by clients to a mobile computer it must maintain a permanent IP address. Problem: IP routing is subnet-based.

Subnets are at fixed locations.

14

MobileIP

A transparent solution based on tunnelling.When a mobile computer is connected to

the Internet elsewhere, two agents take responsibility for routing.

Home agent (HA): holds up-to-date knowledge of the mobile host’s

current location;The IP address at which it can be reached.

The mobile host informs HA upon leaving homeHA acts as a proxy to the clients communicating to the

mobile host during this time.

15

MobileIP (cont’d) Foreign agent (FA):

Allocates a temporary IP address to a mobile host upon its arrival to a new site;

Contact HA and supplies it with the contact address for the mobile host (FA’s address).

HA encapsulates original IP packets and sends them to FA.

FA unpacks the packets and delivers them to the mobile host.

HA sends the contact address for the mobile host o the original sender If the sender is Mobile-enabled it communicates to the FA

directly from now on; If not, the HA continues to act as a proxy for it.

16

TCP and UDP

Provide communication capabilities to the application programs.

IPv6 will support TCP/UDP as well as other connection protocols (remember the Internet Model).

Enable interprocess communication through the use of ports attached to applications. Port number is included in the header.

17

UDP

Almost transport-level replica of IP.Offers no guarantee of delivery.The header is short, but includes an

optional checksum for the payload; The packets that fail the check are

dropped.

18

TCP

Provides reliable delivery of arbitrary long sequences of bytes via stream-based programming abstraction.

Connection-oriented; The sending and the receiving

processes establish a communication channel;Use of ACK (acknowledgement) messages).

19

TCP Reliability Mechanisms Sequencing: a sequence number is attached to

every TCP segment; Used for message re-assembly at the destination.

Flow control: overflow prevention; The receiver send an ACK with the highest sequence

number in its input stream (no segments before that one have been omitted) and a window size.

Window size specifies the amount of data the sender is permitted to send.

ACK are attached to the backward flow if there is any.

Burstiness of network traffic is smoothed through the use of local buffering an a configurable time-out on it. Naggle’s algorithm.

20

TCP (cont’d)

Due to the unreliability of wireless networks these mechanisms are not efficient.

Solutions: WAP and modified TCP.Modified TCP for wireless networks.

Implement a TCP support component at the base station (gateway between wired and wireless networks).

The support component snoops on TCP packets to and from the wireless network

re-transmitting segments that are not promptly acknowledged.

Requesting re-transmission of inbound segments when gaps in sequence numbers are noticed.

21

WAPWireless Application Protocol“An open, global specification that empowers

mobile users with wireless devices to easily access and interact with information and services instantly.” - WAP Forum

“The de facto worldwide standard for providing Internet communications and advanced telephony services on digital mobile phones, pagers, personal digital assistants and other wireless terminals.”

- WAP Forum (www.wapforum.org)

22

Why is WAP needed?

Traditional internet protocols (HTML, HTTP, TCP, etc.) and their security mechanisms (TLS) are inefficient over mobile networks.

Handheld devices tend to have less powerful CPUs, less memory and more restrictions on power consumption than desktops, so require special considerations.

Handheld devices tend to use input devices other than keyboards (e.g. voice, keypad).

23

Bearer Limitations

Power consumption increased bandwidth requires increased power.

Cellular network economics Fixed bandwidth shared among many users, so

efficient bandwidth use required.

Latency wide range of network latencies common (< 1

second to 10s of seconds).

Bandwidth Less bandwidth than found in wired

environments.

24

WAP Forum: www.wapforum.org

WAP Forum founded in December 1997 by Nokia, Ericsson, Motorola and Phone.com (formerly Unwired Planet)

Currently contains over 200 members; Carriers with more than 100 million subscribers; Infrastructure providers; Software developers, and others. Represent over 95% of the global handset

market.WAP Protocol developmentCurrent WAP Version: 1.2

25

How does WAP work?

Uses client-server model.Phone incorporates a microbrowser,

while the intelligence is in the WAP gateways.

Services and applications reside on servers.

Similar to Java – applications written for WAP, which then run on multiple bearers (e.g. GSM, SMS, USSD, etc.)

26

What works with WAP?

Designed for use with: All mobile phones; Any service, e.g. SMS (Short Message Service),

CSD (Circuit Switched Data), USSD (Unstructured Supplementary Services Data), GPRS (General Packet Radio Service);

Any network, e.g. CDMA (Code Division Multiple Access), GSM (Global System for Mobiles), UMTS (Universal Mobile Telephone System);

Any input device, e.g. keyboard, stylus, touch screen, keypad.

27

Application Layer

WAP Protocol Model (Stack)

Session Layer

Transaction Layer

Security Layer

Network Layer

Transport Layer

Wireless Application

Wireless Session

Wireless Transaction

Wireless Transport

Datagrams (UDP/IP) Datagrams (WDP)

Environment (WAE)

Protocol (WSP)

Protocol (WTP)

Layer Security (WTLS)

Other Services andApplications

Wireless Bearers:SMS USSD CSD IS-136 CDMA CDPD Etc…

* Source: the WAP White Paper, October 1999.

28

WAP Architecture

Internet

WAP Gateway Web ServerWAP Phone

Client Gateway Web ServerEncoded request Request

Encoded response Response

29

WDP Layer

Wireless Datagram Protocol.Provides consistent service and

common interface to upper layers of the protocol.

Supports: SMS, USSD, CSD, CDPD, IS-136 packet data, and GPRS.

30

WTLS Layer

Wireless Transport Layer Security (TLS). Implements options for authentication and

encryption. Optimized for mobile environment. Based on Transport Layer Security (TLS),

which was formerly Secure Sockets Layer (SSL).

Optimized for use over narrow-band communication channels.

Ensures data integrity, privacy, authentication and denial-of-service protection.

31

WTP Layer

Wireless Transaction Protocol Runs on top of datagram service. Works over both secure and non-secure wireless

services. Features:

Three classes of transaction serviceClass 0: for applications requiring an “unreliable push”

serviceClass 1: for applications requiring a “reliable push” serviceClass 2: to provide the basic invoke/response transaction

service Optional user-to-user reliability. Asynchronous transactions. PDU (protocol data unit) concatenation and delayed

acknowledgements to reduce number of messages sent.

32

WSP Layer

Wireless Session ProtocolProvides consistent interface for both

connection-oriented and connectionless services.

Provides the following functionality: HTTP 1.1 compliance; Long-lived session state; Session suspend and resume; Facility for data “push”.

33

WAE

Wireless Application EnvironmentInteroperable environment for

multiple wireless platforms.Consists of:

Wireless Markup Language (WML); WMLScript; Wireless Telephony Application (WTA); Content Formats.

34

WML

WAP Mark-up LanguageWML is an XML application.Also uses WMLScript, which is similar

to JavaScript.Optimized for use with handheld

devices.Minimal use of CPU and memory.

35

Benefits of WAP

Reduces amount of data to be transmitted (by translating HTTP headers from text into binary).

Allows sessions to be suspended and resumed. Provides reliable datagram service without the

unnecessary overhead of TCP. TCP stack is not required on handheld device. WAP protocol stack requires less packets for

interaction than HTTP/TCP/IP. Support for “push” functionality built into protocol. WML developers can use standard web tools

(e.g. CGI, Perl, ASP, etc.).

36

Drawbacks to WAP

Difficult to configure WAP phones for new WAP services.

Not yet widely supported.Current services (e.g. SMS, USSD) not

optimized for WAP.Expected to be expensive.WAP does not support cookies.Premature encryption endpoint (gateway

decrypts data, then forwards via https – see www.gsmworld.com/technology/wap_06.html).

37

Caches and proxy servers Cache: a store of recently used data objects that

is closer than the objects themselves. When a new object is received it is placed in the

cache possibly evicting another object. When an object is requested, the cache is

checked first for an up-to-date copy; If it’s not available, a fresh copy is fetched.

A cache can be collocated with each client or located on a proxy server.

Proxy server: a machine/process performing tasks on behalf of its clients. A web proxy server maintains a cache of web resources

for its clients; all the requests go though it. The actual client is transparent for outside servers.

38

DNS

A name service design whose principal database is used across the Internet to perform name resolution for web resources.

A name is resolved when it is translated into data about the named resource or object in order to invoke an action upon it.

39

The Internet Naming Scheme The Internet support a scheme for the use of

symbolic names for hosts and networks. The named entities are organized into a

hierarchy. The named entities are called domains and the

symbolic names are called domain names. Domains are organized into a hierarchy that

intends to reflect organizational structure. Naming is entirely independent from the network

physical layout. Domain names must be translated into IP

Responsibility of DNS.

40

DNS Operation Implemented as a server process that can run on

host computers anywhere on the Internet. There are at least 2 DNS servers in each domain. Servers in each domain hold a partial map of the

domain name tree below their domain. Requests for the translation of domain names

outside their portion of the domain tree are handled by issuing requests to DNS servers in the relevant domains; Recursive procedure that follows from right to left

resolving the name in segments. The resulting translation is then cached at the

server handling the original request.

41

DNS and caching Caching is a key to a name service performance;

Assists in maintaining availability and masking server crashes.

Caching is successful because naming data are changed relatively rarely.

The possibility exists of a name service returning out-of-date attributes during resolution.

DNS allows naming data to become inconsistent; Stale data might be provided for periods in order of

days.

42

Internet and Network Security

Types of Attacks on Internet Break-ins: Unauthorized attempts to gain

access to a secure system Denial of service: A legitimate user is denied

access to a service (e.g. Flooding a WWW server with requests)

Bombs: Large email messages or other large data intended to overwhelm and possibly weaken a system.

Eavesdropping - Listening in on an electronic conversation. Perhaps with intent to gather information for a future break-in.

Viruses.

43

Internet and Network Security (cont’d)

Who is perpetrating these attacks? People with lots of free time Former/disgruntled employees Current/disgruntled employees Current/former/disgruntled customers Governments

44

How to Defend?

Some quick (although not foolproof) suggestions: Frequent password changes and the use of

difficult-to-guess passwords.

Removal of abused services. Filters that detect and delete large messages. Cryptography.

Note that many attacks go undetected, even by professionals.

45

Example Scenario

A private company would like the following: Make some services available within the company

such as Secure Shell (SSH) and FTP between the company's hosts.

Disallow outside users from gaining access to the company's internal hosts via Telnet, FTP, etc.

Allow users within the company to access other services on the Internet such as WWW and FTP.

Allow users from the Internet to visit the company's WWW home pages.

Allow the exchange of e-mail with others on the Internet.

46

But,

It is difficult to restrict traffic in only one direction

Recall that the TCP/IP protocol sends acknowledgements to make sure data arrives whole.

What we need is a more sophisticated gatekeeper that can distinguish what services to allow and which to block.

The general term for this is a Firewall.

47

Firewall Monitors and controls all the traffic into and out of an

intranet. Firewall security policy

Service control: determine which services are available for external access and reject all other requests;

Levels of filtering: IP, TCP.Example: reject HTTP request unless they are directed to

the official website. Behavioral control: prevent behavior that infringes

organization policies; Levels of filtering: IP, TCP, application; Example: filtering of ‘spam’ e-mail.

User control: discriminate between users’ privileges;Example: management of dial-up provided for off-site

users.

48

Filtering levels IP packet filtering

Decisions made based on the destination and the source IP addresses, the service type field in the IP header, port numbers in TCP/UDP headers.

Example: prohibition of external access to NFS servers.

Performed by a process within the operating system kernel of a router.

TCP Gateway A TCP Gateway process checks TCP connection

requests and segment transmission for correctness.

Example: Denial-of-service attack prevention.

49

Filtering levels (cont’d)

Application-level gateway An application-level gateway process acts as a

proxy for an application process. Example: a Telnet proxy. All telnet requests are

routed through the proxy process for approval.A firewall is a combination of several

processes working at different protocol levels running on more than one machine (for fault-tolerance).

Two overall (mutually exclusive) policies: Anything not explicitly denied is allowed. Anything not explicitly allowed is denied.

50

Basic Internet Firewalls

A basic firewall is a router (a host with at least 2 network interfaces). One interface is connected to the Internet - the Host side. The other(s) is(are) connected to the company's internal

network. Performs IP packet filtering.

51

Advanced Internet Firewalls When TCP and application-level gateway processes are

required, they usually run on another computer: Bastion. A host located inside the intranet and protected by an IP

router/filter, to which it is attached by a Stub LAN. Stub LAN only has 1 or 2 hosts on it. Not connected to any other

company LANs. A bastion host is connected to both the stub LAN and to the

company network

52

Advanced Internet Firewalls (cont’d)

Further protection can be insured by placing another router/filter between the bastion and the company intranet.

Note that for performance reasons company web/ftp severs are placed on the Stub LAN.

53

Virtual Private Networks

Suppose a company wants to connect the intranets of its 5 offices. One option is to lease a private line. Another is to connect through the internet.

But then everything is open. The solution is to use encryption schemes

to establish secure tunnels through the internet.

Such a set-up is called a virtual private network.

54

Directory and Discovery Services Directory service: A service that stores

collections of bindings between names and attributes and that looks up entries that match attribute-based specifications. Example: MS Active Directory Service, UNIX X.500,

etc. Discovery service: a directory service that

registers the services in a spontaneous networking environment. Provides an interface for automatically registering and

de-registering services (fax machines, printers, etc.). Provides a lookup interface for mobile devices Example: Jini

55

Jini

A system designed for spontaneous networking.

Java-based: assumes that JVMs run on all of the computers, allowing them to communicate through RMI (remote method invocation, a flavor of interprocess communication in an object-oriented environment).

Provides facilities for service discovery, transactions and shared data spaces called JavaSpaces.

56

Jini Directory-Related Component Lookup service, Jini services and Jini clients. The lookup service implements what we

have termed a discovery service; Jini uses discovery only for discovering the

lookup service itself. Allows Jini services to register the services they

offer and Jini clients to request services that match their requirements.

A Jini service provides an object that provides the service as well as the attributes of the service. May be registered with several lookup services

that store the objects. Example: printing service.

57

Jini Directory-Related Component (cont’d)

Jini clients query lookup service to find Jini services that match their requirements.

If a match is found they download an object that provides the service from the lookup service.

Bootstrap connectivity: how to find the lookup service upon entering a network.

Solutions: A priory knowledge of lookup services IP addresses.

Doesn’t scale up. Use a multicast IP address that is known to all

instances of Jini software.

58

Jini Directory-Related Component (cont’d)

When a Jini client or service starts up it sends a request stamped with time-to-live value to a well-known multicast address.

Lookup services listen on a socket bound to this address and replies to a unicast address from which it received the request.

The client can then perform RMI to query the lookup service.

Lookup services sometimes broadcast datagrams announcing their existence to the same multicast address, and client and services listen on it.