CSC461-CN-Lecture-15-Feb.-13-2013
-
Upload
manishya-krishna -
Category
Documents
-
view
213 -
download
0
Transcript of CSC461-CN-Lecture-15-Feb.-13-2013
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
1/171
BITS PilaniPilani | Dubai | Goa | Hyderabad
Performance & Application-drivenApproaches
to Design of Computer NetworksLectures - 15-17, February 15-17, 2013
Rahul Banerjee, PhD (CSE)
Professor, Department of Computer Science & Information Systems
E-mail: [email protected]
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
2/171
BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956
Significance of the Application-Driven Approach toDesign Computer Networks Need for Specialized Protocols for Applications /
Classes of Applications / Services
Select Application-Layer Services & Protocols HTTP, DNS, DHCP, SMTP, POP, IMAP SOAP, REST
Network-based Multimedia Applications Overlay Networks, Protocols and Applications
Example cases of VoIP, SIP, Skype, WebEx, ATT-Connect, AdobeConnect, Jabber
Summary
Interaction Points
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
3/171
BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956
First, a quick recap of Protocols andProtocol Graphs and a little additional
information!
Starters, before we begin the main course!
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
4/171
OfProtocols&ProtocolGraphs A network protocol, in the simplest sense, is a set of pre-
defined behaviorally encoded request-response pairs that
along with a set of rules and conventions allow meaningfulcommunication within and between nodes of a network.
A graph showing interrelation of various collaboratingprotocols at different levels is called a Protocol Graph.
In a protocol graph, each protocol is represented as a node.HTTP
TCP UDP
IP
TFTP
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
5/171
ExampleofaSimpleProtocol
GraphasapplicabletotheInternet
HTTP FTP TFTP
TCP UDP
IP
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
6/171
ProtocolRepresenta@on
There exist numerous schemes ofrepresentation of a given Protocol.
One common way to specify a Protocol isto represent it as a State TransitionDiagram.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
7/171
ProtocolValida@on
A Protocol needs to be proven correctbefore it is implemented.
There exist quite a few ways of formal andsemi-formal verification of Protocols.
One common technique is to firstrepresent a protocol a State TransitionDiagram and then examine it for its:
completeness,Reachability,points of weakness etc.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
8/171
SystemModel
Anabstractcomputermodel:statemachine.
Anetworkoradistributedsystemmodelcomprisesofasetofnstatemachinescalledprocessorsthatcommunicatewitheachother,
whichcanberepresentedasagraph. Messagepassingcommunica@onmodel:queue(s)
Qij,formessagesfromPitoPj
Systemconfigura@onissetofstates,andmessagequeues.
Inanycaseitisassumedthatthetopologyremainsconnected,i.e.,thereexistsapath
betweenanytwonodes.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
9/171
Defini@on
Statessa@sfyingParecalledlegi@matestatesandthosenotsa@sfyingParecalled
illegi@matestates.
AsystemSisself-stabilizingwithrespecttopredicatePifitsa@sfiestheproper@esof
closureandconvergence
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
10/171
Dijkstra'sself-stabilizingtokenringsystem
Whenamachinehasaprivilege,itisabletochangeitscurrentstate,whichisreferredtoasamove.
Alegi@matestatemustsa@sfythefollowingconstraints: Theremustbeatleastoneprivilegeinthesystem(liveness
ornodeadlock).
Everymovefromalegalstatemustagainputthesystemintoalegalstate(closure).
Duringaninfiniteexecu@on,eachmachineshouldenjoyaprivilegeaninfinitenumberof@mes(nostarva@on).
Givenanytwolegalstates,thereisaseriesofmovesthatchangeonelegalstatetotheother(reachability).
Dijkstraconsideredalegi1mate(orlegal)stateasoneinwhichexactlyone
machineenjoystheprivilege.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
11/171
AutomatawithInputs/Outputs
Eachstateemitsanoutputsymbolthatisnotedonthestate Alterna@vely,eachtransi@onismarkedwiththeeventthat
triggersthetransi@onandbelowitliststheac@onsthatare
takenasaresultofthetransi@on.
1 2
3
a
c
bd
s1
s2
s3
1 2
3
a/s2
b/s2
c/s3
d/s1
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
12/171
ExampleofFSMModelforProtocol
Verifica@on(StopandWaitProtocol)
ThetransmiYersendsaframeandstopswai@ngforanacknowledgementfromthereceiver(ACK)
Oncethereceivercorrectlyreceivestheexpectedpacket,itsendsanacknowledgementtoletthetransmiYersendthenextframe.
WhenthetransmiYerdoesnotreceiveanACKwithinaspecifiedperiodof@me(@mer)thenitretransmitsthepacket.
Timer
Timer
TransmiYer Receiver
Frame0
Frame1
ACK0
ACK1
Frame0
ACK0
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
13/171
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
14/171
FSMforStopandWaitProtocol
ReceiverPkt0received
SendAck0
Pkt1received
SendAck1
Pkt0
Received
Pkt1
Received
WaitPkt1WaitPkt0
SendAck1SendAck0
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
15/171
Communica@onprotocols
Communica@onprotocolmightbeaffecteddueto:
Ini@aliza@ontoanillegalstate. [email protected]
processesgettherequestforthechangeatthesame@me,soanillegalglobalstatemayoccur.
Transmissionerrorsbecauseofmessagelossorcorrup@on.
Processfailureandrecovery. Alocalmemorycrashwhichchangesthelocal
stateofaprocess.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
16/171
Exercise
Writeasimula@onprogramthatimitatesthebehaviorofthenetworkshownbelow.
Theinputstoyourprogramarethecapaci@esofeachbufferaswellastheclockstructure(threevectorswiththelife@mesofeachevent)
Theoutputfromyourprogramisthesamplepathofthenetworki.e.,thestatetrajectoryand/oratraceconsis@ngofasequenceofeventsanditscorresponding@me.
B1 B2
a d1 d2
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
17/171
(c)Dr.RahulBanerjee,BITS,Pilani,India 17
AFewMeasuresofNetworkPerformance
Performance MeasuresAvailable Performance Measured Performance
Bandwidth: Width of the usable / allotted Frequency band Rate of data transfer in bits per second Throughput: Actual measured rate of achievable data transfer in
bits per second
Bandwidth has often a value greater than that of the Throughput Round-Trip Time (RTT) Latency: Delays of various kinds Delay x Bandwidth metric Quality of Service
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
18/171
15/02/13 Dr. Rahul Banerjee, Department of Computer Science, BITS-Pilani, INDIA 18
PerformanceMa-ers
Withsignificantinputfrom:
ProfessorBobKinicki,ComputerScienceDepartment,WPI,USA
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
19/171
15/02/13 19
Interac@onPoints
Dr. Rahul Banerjee, Department of Computer Science, BITS-Pilani, INDIA
ComputerNetworkPerformanceMetrics PerformanceEvalua@onTechniques WorkloadCharacteriza@on Simula@onModels Analy@cModels
EmpiricalMeasurementStudies Whattomeasure? Choiceofmeasurementtools TheDesignofMeasurementExperiments
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
20/171
PerformanceEvalua@on Performance evaluation is the application ofthe
scientific method to the study of computersystems.
Viewed as distinct from computer system design,the goal of performance evaluation is to
determine the effectiveness and fairness of acomputer system that is assumed to workcorrectly.
Performance evaluation techniques have beendeveloped to accurately measure theeffectiveness with which computer systemresources are managed while striving to provideservice that is fair to all customer classes.
Performance Evaluation of ComputerNetworks
20
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
21/171
ComputerNetworkPerformanceMetrics
Metric :: a descriptor used to represent someaspect of a computer networks performance.
The goal is objective performance indices. For computer networks, metrics can capture
performance at multiple layers of the protocolstack, e.g., UDP throughput IP packet round trip time MAC layer channel utilization
Performance metrics can be positive and negative. e.g., goodput, packet loss rate, MAC layer retries
Performance Evaluation of Computer Networks21
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
22/171
Performance Evaluation of ComputerNetworks
22
12
1
11
8
4
7
2
6
9
10
14
5
13
15
3
Host
B
Host
C
Host
DHost
E
HostG
Host
J
HostA
Host
H
Host
F
Host
N
16
17
routers
HostL
Host
M
WideAreaNetwork(WAN)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
23/171
Performance Evaluation of ComputerNetworks
23
WirelessLocalAreaNetwork(WLAN)
AP
Clients
Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
24/171
SamplePerformanceMeasuresCategory Metric Units
productivity throughput
effective capacity
Mbps
responsiveness delay
round trip time
queue size
milliseconds
packets
utilization channel utilization percentage of
time busy
losses packet loss rate
frame retries
loss percentage
buffer problems AP queue overflow
playout buffer underflow
packet drops
rebuffer events
Performance Evaluation of Computer Networks24
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
25/171
Performance Evaluation of ComputerNetworks
25
12
1
11
8
4
7
2
6
9
10
14
5
13
15
3
Host
B
Host
C
Host
DHost
E
HostG
Host
J
HostA
Host
H
Host
F
Host
N
16
17
nodes
HostL
Host
M
WideAreaNetwork(WAN)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
26/171
Performance Evaluation of ComputerNetworks
26
A ZXC
YB
LocalAreaNetwork(LAN)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
27/171
Performance Evaluation of ComputerNetworks
27
WirelessLocalAreaNetwork(WLAN)
AP
Client
Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
28/171
Outline
Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques
Workload Characterization Simulation ModelsAnalytic Models
Empirical Measurement Studies What to measure? Choice of measurement tools The Design of Measurement Experiments
Performance Evaluation of ComputerNetworks
28
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
29/171
PerformanceEvalua@onTechniques
Workload characterization for computernetworks involves the design and choice oftraffic types that provide the inputs forcomputer network performance evaluation.
Performance measures of computernetworks are all dependent to some extenton the input workload, the network topologyand the choices in controlled parameters ornetwork default settings.
An evaluation study of a computer networkseeks to determine the values for network
performance indices under a given trafficworkload and network configuration.
Performance Evaluation of ComputerNetworks
29
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
30/171
TypicalNetworkTrafficTypes
Web Traffic between a Browser and an InternetServer.
Long-Lived File Transfers
FTP downloads.
Multimedia Streaming Video clip downloads (UDP and/or TCP)Audio VOIP (Voice Over IP)
Peer-to-Peer Exchanges Concurrent downloads and uploads Telnet file edits
Performance Evaluation of ComputerNetworks
30
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
31/171
Performance Evaluation of ComputerNetworks
31
WirelessLocalAreaNetwork(WLAN)
AP
Client
Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
32/171
PerformanceEvalua@onTechniques
Models Simulation Modeling Analytic Modeling Both modeling techniques tend to rely on queuing theory.
Measurement Studies Empirical measurement of real networks Measurements where some aspect of the network architecture or
topology is emulated via software or hardware." The primary focus of this presentation is on the design andtechniques used in experiments to measure real computernetworks.
Performance Evaluation of Computer Networks32
Networkevalua1onu1lizestheactualnetwork,anemulatednetworkoramodelofthenetwork.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
33/171
ConceptualModels
Researchers utilize knowledge about theinteractions of network components to
understand and explain the workings of a
computer network via a conceptual model. Models are partitioned into simulation models or
analytic models. Both model types rely on
simplifying assumptions that that enable the
model to capture important characteristics ofnetworks (usually in terms ofnetworks ofqueues).
Performance Evaluation of ComputerNetworks
33
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
34/171
SimpleQueuingModel
Performance Evaluation of ComputerNetworks
34
Arrivals
Queue Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
35/171
NetworksofQueuesModel
Performance Evaluation of ComputerNetworks
35
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
36/171
Simula@onModels
Simulation attempts to reproduce the behavior ofthe network in the time domain.
Event-driven simulation defines a network interms of states and transitions where eventstrigger transitions.
Simulation is essentially a numeric solution thatutilizes systems of equations and data structures
to capture the behavior of the simulated networkin terms of logical conditions.
Performance Evaluation of ComputerNetworks
36
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
37/171
Simula@onModels
The three types of simulators are:Trace-drivenProgram-drivenDistribution-driven
The choice of the duration of a simulationrun is subject to the same issues of
estimating variance and variancereduction as found in the design ofempirical measurements.
Performance Evaluation of ComputerNetworks
37
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
38/171
Analy@cModels
Similar to simulation models, analytic modelsinvolve systems of equations.
Analytic models of computer networks usuallystart with a network of queues model anddevelop a system of equations that may or mayyield a closed form solution.
Analytic models of computer networks tend to bestochastic models built on the theory ofstochastic processes associated withindependent random variables.
Performance Evaluation of ComputerNetworks
38
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
39/171
Outline
Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques
Workload Characterization Simulation ModelsAnalytic Models
Empirical Measurement Studies What to measure? Choice of measurement tools The Design of Measurement Experiments
Performance Evaluation of ComputerNetworks
39
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
40/171
EmpiricalMeasurementStudies
The planning phase objectives of an empirical measurement are:
1. To decide what to measure.2. To choose the measurement tools3. To design the experiments.
" Network measurements can be either active or passive. Active measurement involves purposely adding traffic to the
network workload specifically to facilitate the measurement (e.g.,sending packet pair probes into the network to estimate theavailable bandwidth along a flow path).
An example of a passive measurement tool is a network snifferrunning in promiscuous mode to collect information about allpackets traversing a network channel.
Performance Evaluation of ComputerNetworks
40
h ?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
41/171
WhattoMeasure?
The overall objective of the computernetwork measurement study guides thechoice of performance indices to bemeasured.
Metrics are either direct or indirectindices. Indirect indices require sometype of data reduction process todetermine metric values.
Due to the large data volume associatedwith network traffic, measurement ofcomputer networks often involves filteringof data or events (e.g., It is common fornetwork measurement tools to onlyretain packet headers for off-linePerformance Evaluation of ComputerNetworks 41
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
42/171
NetworkMeasurementTools
While hardware probes provide the best qualitymeasurements, they are expensive and notalways available.
The availability of software tools for computernetworks depends on the ability to get inside thecomponents of the network protocol stack andthe ability to access nodes of the networktopology.
Network software measurement tools providehooks within the network layering software tocapture and store network measurement data.
Performance Evaluation of ComputerNetworks
42
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
43/171
ChoiceofMeasurementToolsKey issues in the usability of network
measurement tools are:
1. Tool location2. Interference or bias introduced by the tool.3.
Accuracy of the tool.
4. Tool resolution- This has become a problem with respect to the granularity
of system clocks relative to the speed of modern high
speed network links.
Performance Evaluation of ComputerNetworks 43
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
44/171
Performance Evaluation of ComputerNetworks 44
WirelessLocalAreaNetwork(WLAN)
AP
Clients
Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
45/171
TheDesignofMeasurementExperiments
Measurement Experiments are divided into two major categories:
1. Live measurements With live empirical studies, the objective is to measure the
performance of the computer network while it is handling real traffic.
The advantage of this type of study is that the measurement involvesa real workload. One disadvantage of measuring live traffic is being convinced that
this measurement involves typical traffic for this network.
Another disadvantage of live traffic measurement is thatreproducibility of the exact same traffic workload is usually notpossible. This is problematic when the goal is to evaluate the impact
of changing network components on overall performance.
Performance Evaluation of ComputerNetworks 45
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
46/171
2. Controlled-traffic measurements
Traffic generator tools or traffic script files provide repeatable,controlled traffic workloads on the network being measured.
Controlled-traffic workloads are chosen when the goal of theperformance study is to evaluate the impact of different versions of anetwork component, strategy or algorithm on network performance.
Controlled, repeatable traffic makes it easier to conduct cause-and-effect performance analysis.
One difficulty with controlled-traffic is being confident in the accuracyof the traffic generator tool and the ability to conduct measurementexperiments where the traffic workload choices are adequatelyvaried to provide representative, robust network performanceevaluation.
Performance Evaluation of ComputerNetworks 46
TheDesignofMeasurementExperiments
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
47/171
MeasurementDesignDecisions
Understanding which network components (orindependent variables) significantly impact
network performance.
Deciding which network parameters are to becontrolled and/or held fixed during experimentalruns.
How long to run a single experiment? How many times to repeat an experiment?
Performance Evaluation of ComputerNetworks 47
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
48/171
Performance Evaluation of ComputerNetworks 48
Time (sec)
Throughput
(Mbps)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
49/171
Performance Evaluation of ComputerNetworks 49
Time (sec)
RSSI(dB)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
50/171
MeasurementDesignDecisions
When to run experiments?Namely, to determine whether time of day or
other temporal periods influence performance
measurements.
How to control, minimize and/orunderstand physical phenomenon or
other interference sources that can
produce discrepancies and variability inthe measurement results?
Performance Evaluation of ComputerNetworks 50
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
51/171
Performance Evaluation of ComputerNetworks 51
Time (sec)
Throughput
(Mbps)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
52/171
Performance Evaluation of ComputerNetworks 52
Time (sec)
RSSI(dB)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
53/171
MeasurementDesignDecisions
What data filters to use? How and where to store experimental results? Determining the best choices of graphical and
tabular forms of data representation to facilitate
network performance analysis while providing aclear view of the results of the computer
network performance evaluation.
Performance Evaluation of ComputerNetworks 53
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
54/171
Performance Evaluation of ComputerNetworks 54
Time (sec)
MACLayerRetries
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
55/171
Cumula@veDistribu@onFunc@on(CDF)
Performance Evaluation of ComputerNetworks 55
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
56/171
ComingAYrac@ons
Professor Claypool will discuss:
The Scientific Method applied toComputer Science
Statistical Techniques used inExperimental Measurement Design
Performance Evaluation of ComputerNetworks 56
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
57/171
SummaryoftheConcepts&Terms
learntsofar
15/02/13 (c)Dr.RahulBanerjee,SDETUnit,BITS-Pilani,INDIA 57
S N ki T
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
58/171
(c)Dr.RahulBanerjee,BITS,Pilani,India 58
SomeNetworkingTerms Repeaters / Repeater Hubs / Shared Hubs:
where usually Physical layer / level exist withL1-protocol data unit (raw bits) regenerationand onward transmission
Managed Hubs / Layer-2 Switching Hubs:where Physical and Data Link layers / levelsexist with ability to handle and deliver Layer-2-protocol data unit (frame)
Bridges: where Physical and Data Link layers /levels exist with L2-protocol data unit (frame)processing and forwarding
Switches: where Physical and Data Link and /or Network (sometimes even higher) layers /
levels exist with Layer-2 and / or Layer-3-
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
59/171
Thank you for your kind attention!
Any question please?
For further details, you may contact at:E-mail: [email protected] / [email protected]
or visit:Home: http://www.bits-pilani.ac.in/~rahul/
f
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
60/171
References Larry L. Peterson & Bruce S. Davie: Computer Networks: A
Systems Approach, Fourth Edition, Morgan Kaufmann / Elsevier,New Delhi, 2007.
IEEE 802 standards issued so far PLUS amendments like: 802.3ap-2007: IEEE Standard for LAN/MAN Specific
Requirements
Part 3: CSMA/CD Access Method and Physical Layer Specifications
Amendment 4: Ethernet Operation over Electrical Backplanes 802.11-2007 IEEE Standard for LAN/MAN Specific Requirements
Part 11: Wireless LAN Medium Access Control (MAC)and PhysicalLayer (PHY) Specifications
802.15.4a-2007 IEEE Standard for Telecommunications andInformation Exchange Between Systems; PART 15.4: Wireless MAC
and PHY Specifications for Low-Rate Wireless PANs (LR-WPANs) Amendment 1: Add Alternate PHY
802.1ag-2007 IEEE Standard for LAN/MAN Virtual Bridged LANs Amendment 5: Connectivity Fault Management
Dr. Rahul Banerjee, BITS, Pilani (India)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
61/171
(c)Dr.RahulBanerjee,BITS,
Pilani,India 61
References A. S. Tanenbaum: Computer Networks, Fourth Edition, Pearson
Education, New Delhi, 2003. Mohammed G. Gouda: Elements of Network Protocol Design,
Wiley Student Edition, John Wiley & Sons (Pte.) Ltd.,Singapore, 2004.
Thomas G. Robertazzi: Computer Networks and Systems:Queuing Theory and Performance Evaluation, Third Edition,
Springer-Verlag, New York, 2000. S. Keshav: Computer Networking: An Engineering Approach,
Pearson Education, New Delhi, 1997.
A. Leon Garcia and I. Widjaja: Communication Networks:Fundamental Concepts and Key Architectures, Second Edition,Tata McGraw-Hill, New Delhi, 2004.
Baldwin, D.: Discovery Learning in Computer Science. InProceedings of the Twenty-seventh SIGCSE TechnicalSymposium on Computer Science Education, ACM, pp.222-226,February 1996.
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
62/171
NOTE:Some of the duly marked slides have been prepared withrespective input from BITS, UIUC, ETH-Zurich, MSR, UoW,
CMU, IETF, ITU, Sun, W3C, KU, CU, LU, IEEE PC as dulypermitted for academic and research use.
Use of copyrighted material from these and other
sources in the following slides is meant for pureacademic reference herein is thankfully acknowledged.
Wh i W b S i ?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
63/171
WhatisaWebService?
A Web Service is simply a service available viathe Web Service can be implemented in any language. Problems with Web Services:
It is not practical to automatically find web services foryour needs
There is no built-in mechanism for payment for use of aweb service
There is no built-in security control When a web service changes (e.g., adds a parameter to its
method), the program using it breaks
h l b l
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
64/171
TheSimpleObjectAccessProtocol
SOAP stands for "Simple Object Access Protocol" Used for "Remote Procedure Calls", similar to:
IIOP (for CORBA) and RMI (for Java) Major Distinguishing Features:
SOAP is text-based (uses XML), not binary. It istherefore, Firewall-friendly
It is Programming Language-independent.Therefore, it can call a program in any language
IT uses standard port, since uses standard protocols
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
65/171
SOAP:RPC&DOC
SOAP is just a standard for sending messages (thusused as an envelope that encapsulates messages)
We can send two types of messages using SOAP: RPC: Remote Procedure Call, a request to call a method DOC: A document (this is used for more complex client -
server communication)
H d th SOAP W k?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
66/171
HowdoestheSOAPWork?
SOAP Header Sec@on
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
67/171
SOAPHeaderSec@on
The SOAP Header can contain information that describes theSOAP request. Example:
5
Here, 5is the transaction ID of which this method is a part. SOAP envelope's mustUnderstandattribute is set to 1, which means
that the server must either understand and honor the transaction
request or must fail to process the message.
SOAP R E
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
68/171
SOAPResponseonError
There may be many errors in processing a SOAPrequest
Error in Running Method: Error in Processing SOAP Headers:
e.g., Problem running method as part of atransaction
The Main Players in SOAP
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
69/171
TheMainPlayersinSOAP
There are three components that take part in a SOAPapplication:
Client Application: A program that sends a SOAP request.Wants to use a service.
SOAP Processor: A program that can receive SOAP requestsand act accordingly (e.g., call an method of the Application
Server)
Application Server: A program that supplies the Web service
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
70/171
Applica@onServer:SomeSimple@ps
The application server providing any Web Service doesnot need anything special.
In fact, your application server need not know that it isbeing used for providing a Web Service!!
A bit th Cli t A li @
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
71/171
AbitontheClientApplica@on
The SOAP client needs to generate a SOAP request When using Java, you shall need the following packages
in your CLASSPATH to compile: soap.jar mail.jar activation.jar
Tips on Tomcat / Servlet & SOAP Processor
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
72/171
TipsonTomcat/Servlet&SOAPProcessor
Scenario
Your Tomcat web server needs a web application that isa SOAP Processor
Put soap.war in your /webapps directory To actually run the SOAP Processor, it needs the
soap.jar, mail.jar, activation.jar files in its classpath
Easiest way to get the files in its classpath: Add them tothe directory /lib
Crea@ng the Applica@on Server
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
73/171
Crea@ngtheApplica@onServer
package hello;
public class HelloServer {public String sayHelloTo(String name) {
return "Hello " + name +
", How are you doing?";}
}
Note:Putapplica@oninapackage.Createajarfilefromthepackageandputthepackagein/lib,sothatitwillbeinTomcat'sclasspath
D l i th W b S i
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
74/171
DeployingtheWebService
The SOAP Processor must be told aboutyour application. This is called "deploying"
Deployment is a two-step process:Create a deployment descriptorCall the java command that deploys the web
application
Deployment Descriptor
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
75/171
DeploymentDescriptor
org.apache.soap.server.DOMFaultListener
Thescopeofthe
Objectusedtofulfill
theSOAPRequest.
Applica1onmeansthatallSOAP
requestswillbesent
tothesameobject.
Deployment Descriptor
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
76/171
DeploymentDescriptor
org.apache.soap.server.DOMFaultListener
Scope of Web Service
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
77/171
ScopeofWebService
page: The service instance is available until a responseis sent back or the request is forwarded to anotherpage
request: The service instance is available for theduration of the request, regardless of forwarding session: The service instance is available for the entiresession
application: The same service instance is used toserve all invocations
Which of these scope values require us to thinkabout synchronizing access to data members andmethods?
Comple@ng the Deployment
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
78/171
Comple@ngtheDeployment
Save the deployment descriptor in a file, e.g.,HelloDescriptor.xml
Run the command:java org.apache.soap.server.ServiceManagerClient http://
:/soap/servlet/rpcrouter deploy HelloDescriptor.xml
where and are those of Tomcat
Note that Tomcat must be running for this to workYou can get a list of all deployed web services
using the commandjava org.apache.soap.server.ServiceManagerClient http://
:/soap/servlet/rpcrouter list
Undeploying a Service
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
79/171
UndeployingaService
You can undeploy a web service, so that itis no longer recognized by the SOAP
Processor using the command
java org.apache.soap.server.ServiceManagerClient http://:/soap/servlet/rpcrouter undeploy urn:helloApp
Note that the last argument is the URI ofthe web service to be removed
Whatmusttheclientdo:A
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
80/171
SummaryNote
Create the SOAP-RPC call Set up any type mappings for custom parameters Set the URI of the SOAP service to use Specify the method to invoke Specify the encoding to use Add any parameters to the call Connect to the SOAP service Receive and interpret a response
Note on Parameters
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
81/171
NoteonParameters
It must be possible to "serialize" the parameters thatthe method invoked receives and returns.
The following have default serialization/deserialization:
primitive types: int, long, double, etc. primitive Objects: Integer, Long, Double, String, etc. complex Objects: Vector, Enumeration, Hashtable, arrays easy to use JavaBeans
Crea@ngtheServer
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
82/171
g
When the application server is a script, thescript is actually put in the deployment
descriptor
Need the jar files bsf.jar andjs.jar Put them in your /lib
directory
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
83/171
UDDI-UniversalDescrip@on,
DiscoveryandIntegra@onService
UDDIisastandardfordescribingand
findingwebservices
UDDI Business Registry (UBR), Public
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
84/171
UDDIBusinessRegistry(UBR),Public
Cloud
Nodes contain all UDDI information Nodes are synchronized, so they retain the
same data
You can query any nodeYou can add UDDI to a node, and it will be
replicated to all others
Interac@ng with the UDDI
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
85/171
Interac@ngwiththeUDDI
UDDI is itself a web service!!! Interaction is via SOAP messages The JAXR package defines a standard way to interact
with registries (can work with other types of registriestoo, e.g., ebXML)
Two types of interaction:
Inquiry: Does not need authentification Publish: Needs authentification
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
86/171
WSDL-WebServicesDescrip@onLanguage
Describing a Web Service
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
87/171
DescribingaWebService
SOAP is just one standard to access a web service,there are many others (XML-RPC)
Need a standard way to describe a Web Service: the methods available their parameters etc.
WSDL is a standard for describing web services usingXML
UPnP Services
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
88/171
UPnPServices
Description is stored as XML file Control via SOAP messages: SOAP developed for
web service
Most every language/platform has SOAP/XMLlibraries
Event notification with XML in General EventNotification Architecture
Presentation URL can be supplied by device
TheOSGi
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
89/171
OSGi is open, standards-based, language-neutral and OS-neutral
Consists offramework in which bundles ofservices that register with a registry can run
Runs atop the Java 2 Runtime Environment(J2RE)
OSGi Service Specifica@ons
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
90/171
OSGiServiceSpecifica@ons
Logging service Web server Device access Configuration service Preferences service
User administrationservice
Permissionadministrationservice
Packageadministration
service
ClientAuthen@ca@onovertheInternetworks
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
91/171
There exist four possibilities: No Authentication Basic Authentication Moderate Authentication Advanced Authentication
Basic Authentication: It may be provided as an extension tothe HTTP 1.1 (HHTP: RFC 2616, Extn.: RFC 2617)
Moderate Authentication: Digest Access Authenticationusing Challenge-Response technique
Advanced Authentication: There are two choices, dependingupon the requirements:
Kerberos-based Authentication (K-5: RFC 1510) Public-Key Cryptography-based Authentication (SSL:
RFC 2246, TLS: RFC 2818)
BASIC AUTHENTICATION
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
92/171
Client may use it to authenticate itself toeither the Origin Server or an intermediateProxy Server.
In this basic scheme, if an unauthorizedaccess attempt is made by a client, server /proxy sends it back an Error Code: 401 /407: Unauthorized Access Error
However, server / proxy may ask / challengethe requesting client to supply / respond toone or more pieces of information and if the
client sends the correct iece s in its
AUTHENTICATION
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
93/171
AUTHENTICATION
In this scheme, users ID and his/herpassword are transmitted using base64-endedplaintext.
This clearly is as insecure as the defaultTelnet authentication scheme.
Moderate andAdvanced schemes ofauthorization attempt to tackle this issue byoffering cryptographic measures.
ModerateAuthoriza@onusingDigest
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
94/171
Access
In this case, a client requesting a restrictedservice receives a nonce-challenge from theserver and is expected to generate a
message digestusing this nonce containingthe user Id, password, numeric value of thereceived nonce, the requested HTTPmethod and the URI.
This digest is then transmitted over theinsecure network to the server who upon
receipt, knowing the nonce and algorithm
AdvancedAuthen@ca@onusingSSL/TLS
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
95/171
TLS
In this case, as discussed earlier, if a client requestsan access to a restricted service, the servergenerates a random secret / challenge to the client.
Client is expected to respond by signing the sentchallenge by using its Private Key and transmit thissigned response along with its digital certificate.
Upon receipt, the server verifies the authenticity ofthe certificate, extracts clients public-key from it
and using this verifies the clients signature.
If the process succeeds, the client is granted accessto the requested service / resource.
Applica@onsonrespec@ve
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
96/171
devices/deviceclusters
Client-side Issues,
Middleware-specific Issues
Server-side Issues
Role of Network Security in
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
97/171
RoleofNetworkSecurityin
PervasiveCompu@ng
Environments
Interac@on Points
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
98/171
Interac@onPoints
Brief introduction to Network andinternetwork Security Principles
Various forms and mechanisms ofsecurity
Influence of Network Security onPervasive Computing Systems
Discussion
Networks Internetworks & Security
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
99/171
(c)RahulBanerjee,BITS,
Pilani(India) 99
Networks,Internetworks&Security
Network AComputer Network is an interconnected group of autonomouscomputing nodes which:
Use a well-defined, mutually-agreed set of rules and conventionsknown as Protocols,
Interact with one-another meaningfully; Allow resource-sharing preferably in a predictable and controllable
manner.
Internetwork A network of two or more networks is called an Internetwork Participating networks in an Internetwork may be
interconnected for restricted or unrestricted resource sharing
Security Security is often viewed as the need to protect one or more
aspects of networks operation and permitted use (access,behaviour, performance, privacy and confidentiality included),
Security requirements may be Local or Global in their scope,depending upon the network
s or internetwork
s purpose ofdesi n and de lo ment.
Criteria for Evaluating Security Solutions
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
100/171
(c)RahulBanerjee,BITS,Pilani
(India) 100
g y
Abilitytomeetthespecifiedneeds/requirementsEffec@venessofApproachAcrossNetworksCompu@ngResourcesNeededvis--visthevalueoftheprotec@onoffered
QualityandScalabilityAvailabilityofMonitoringmechanismsAdaptabilityandFlexibilityPrac@cabilityfromSociological/Poli@calperspec@veEconomicconsidera@ons&Sustainability
Classifica@on of Security Problems: Access
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
101/171
(c)RahulBanerjee,BITS,
Pilani(India) 101
Classifica@onofSecurityProblems:Access
BreachesinInternetworks
(S/W&H/W)Inten@onal/Non-Inten@onalAccessBreaches
Origin-basedAccessBreachesCentralized/DistributedAccessBreachesServiceBlocking/Overwhelming/Redirec@on/Abuse/Modifica@on/Termina@on-basedAccessBreaches
Periodic/AperiodicApplica@on-Data/Control-DataAccessBreachesEvent-basedAccessBreaches
Storage-basedAccessBreaches
Of Security AYacks, Security Threats, Security
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
102/171
(c)RahulBanerjee,BITS,
Pilani(India) 102
OfSecurityAYacks,SecurityThreats,Security
MechanismsandSecurityServices
Security Attack => compromises theinformation-system security
Security Threat => has potential for securityviolation
Security Mechanism => detects / locates /identifies / prevents / recovers from security
attacks
Security Service => enhances security,makes use of the security mechanisms
Ac@ve versus Passive AYacks
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
103/171
(c)RahulBanerjee,BITS,
Pilani(India) 103
Ac@veversusPassiveAYacks
Active attacks involve active attemptson security leading to modification,redirection, blockage or destruction ofdata, devices or links.Examples:
Replay attacks Masquerade attacks Modification / corruption of data or access
control bits
Denial-of Service attacks Passive attacks involve simply
getting access to link or device andconsequently data.
A typical Internetwork Model of Security
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
104/171
(c)RahulBanerjee,BITS,
Pilani(India) 104
AtypicalInternetworkModelofSecurity
Par@esinvolved: Sender Receiver Interceptor(Passive/Ac@ve)
Devicesinvolved: TransmiYer Receiver Encoder Decoder
Linksinvolved: DataandControlsignaltransmissionlinks
Iden@fica@onofSourcesofSecurity
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
105/171
(c)RahulBanerjee,BITS,
Pilani(India)105
Problems
Importance of Identification of sources Strategic importancefor planning, preventing
and / or countering
Importance with respect to Sensitivity-analysisand Economic-impact-analysis and pro-activeprotection
Possible Approaches for Analysis Monitoring-based approaches
Log-basedAgent-based
Non-monitoring approaches Model-based Experimental Replication-based
Role of Cryptography, OS & Configura@on
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
106/171
(c)RahulBanerjee,BITS,
Pilani(India)106
RoleofCryptography,OS&Configura@on
Role of Cryptography Secret-key cryptography Public-key cryptography
Role of Operating Systems Built-in OS Security at the Kernel-level Support for Cryptographic APIs Network Protocol Stack implementation
decision-based security
Role of Configuration in Security
Network configuration OS configuration
Application configuration Security System configuration
On the Internetwork Cryptography
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
107/171
(c)RahulBanerjee,BITS,
Pilani(India)107
OntheInternetworkCryptography
Internetwork Cryptography aims to handle internetwork-specific or network-specific issuesand
problems involving authentication, integrity andsecrecy / confidentiality / privacy.
Cryptography can existwith or withoutnetworks but Internetwork / NetworkCryptography specifically addresses theInternetwork / Network needs /requirements and is thus a subset of generalcryptography.
Symmetric-KeyCryptography
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
108/171
(c)RahulBanerjee,BITS,
Pilani(India)108
y y yp g p y
Symmetric-Key cryptography is calledso since in this class of cryptographicalgorithms, encryption as well asdecryption processes are performed
using the same (i.e. symmetric) key.
The algorithms / schemes / programsthat use this paradigm are often
termed as Symmetric-Key Ciphers /Private-Key Ciphers / Secret-KeyCiphers / Conventional Ciphers etc.
In such cases, Plaintext, Encryption-
CharacterizingtheSymmetricKeyCiphers
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
109/171
(c)RahulBanerjee,BITS,
Pilani(India)109
g y y p
This is often done by: Choice ofkey-space Key-derivation / identification within the key-
space
Number of cycles involved in encryption /decryption process
Choice of operations (or choice of type ofoperators) that are used in the process ofencryption / decryption
Number of internal algorithms that form the finalscheme of enciphering / deciphering Role, if any, of the compression algorithms /
schemes in adding the security value
SomeMoreBasics
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
110/171
(c)RahulBanerjee,BITS,
Pilani(India)110
Any cryptographic scheme is safe if andonly if it is unbreakable in reasonabletime using feasible resources in spite ofthe intruders being aware of:
Encryption and decryption algorithm Size of the key Kerckhoffs Principle: Security of
conventional encryptiondepends
only upon the Secrecy ofthe Key, andnot on the Secrecy of theAlgorithm.
Strength of the algorithm and the size ofkey remain two important factors in
OntheSecureDeploymentofthe
Conven@onal (Secret Key) Cryptography
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
111/171
(c)RahulBanerjee,BITS,
Pilani(India)111
Conven@onal(Secret-Key)Cryptography
Requirements for securedeployment of conventionalcryptography:
Availability ofa strongEncryption Algorithm Secure distribution ofthe Secret Key to the intended
recipients
Kerckhoffs Principle remains a guiding
line for the research on conventionalcryptography and its real-life use ininternetworks.
Uncondi@onallySecureVersusComputa@onallySecure
h
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
112/171
(c)RahulBanerjee,BITS,
Pilani(India)112
Encryp@onSchemes
Unconditionally Secure Encryption schemes: Here, the generated Ciphertext simply does not have
adequate informationto allowdiscovery ofthe uniqueplaintextirrespective of the amount of Ciphertext
available (as well as irrespective of the computational
resource available) to the attacker.
Computationally Secure Encryption schemes
Here, the cost of decipheringexceeds the value ofenciphered information
Time needed to decipherexceedsthe lifetime of theenciphered information
DigitalSignatures
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
113/171
(c)RahulBanerjee,BITS,
Pilani(India)113
A Digitally-signed Communication is amessage that has been processed by acomputer in such a manner that ties themessage to the individual that signedthe message.
Criteria for Digital SignaturesTechnology: An acceptable technology must be capable of
creating signatures that conform to
requirements:It is unique to the person using it;It is capable of verification;It is under the sole control of the person
using it;
Signature Dynamics
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
114/171
(c)RahulBanerjee,BITS,
Pilani(India)114
SignatureDynamics
TheSignatureDynamicsTechnology: Itisanacceptabletechnologyforusebypublicen@@esthatusesasthemeansthemetricsoftheshapes,speedsand/orotherdis1nguishing
featuresofasignatureasthepersonwritesitbyhand.
Itinvolvesbindingthemeasurementstoamessagethroughtheuseofcryptographictechniques.
SignatureDigestistheresul@ngbit-stringproducedwhenasignatureis@edtoadocumentusingSignatureDynamics.
DigitalCer@ficates
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
115/171
(c)RahulBanerjee,BITS,
Pilani(India)115
Digital Certificate: It refers to acomputer-based record which:
identifies the certification authorityissuing it;
names or identifies its subscriber;contains the subscriber's public key;
and
is digitally signed by the certificationauthority issuing or amending it &
conforms to widely-used standards.
Relatedterms:
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
116/171
(c)RahulBanerjee,BITS,
Pilani(India)116
Related terms:
Certification Authority: This refers to anentity that issues a certificate, or in the caseof certain certification processes, certifiesamendments to an existing certificate.
Key Pair: This refers to a private key and itscorresponding public key in an asymmetriccryptosystem. The keys have the property
that the public key can verify a digitalsignature that the private key creates.
AfewmorepointsonDigitalCer@ficates
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
117/171
(c)RahulBanerjee,BITS,
Pilani(India)117
One of the simplest ways to describe the function of aDigital Certificate is to treat it as a means to verify thegenuineness of the Public-Key.
Just as the individuals / groups are normally assignedDigital Signatures, the corporate merchants and E-Commerce / I-Commerce Gateways are issued DigitalCertificates for proving their authenticity to others.
Certificate Expiry: Most of the certificates have theirperiod of legal validity as marked by the issuingentity / authority, after which it is considered asinvalid or expired.
Certificate Revocation: If the Certificate is found to becompromised, it may be explicitly revoked by theCertificate Authority (CA) and included in thesubsequently published Certificate Revocation List.
Certificate Validation: It refers to the verification ofthe Certificate Chain.
WhoarethecommonCer@ficate
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
118/171
(c)RahulBanerjee,BITS,
Pilani(India)118
Authori@es?
AspertheSecureElectronicTransac@ons(SET)standard,thefollowingCAsmayexist:1. TheRootCer@ficateAuthority(RCA)2. TheBrandCer@ficateAuthority(BCA)3. TheGeo-Poli@calCer@ficateAuthority(GCA)
4. TheMerchantCer@ficateAuthority(MCA)5. ThePaymentGatewayCer@ficateAuthority
(PGCA)
6. TheCardholderCer@ficateAuthority(CCA) Cer@ficateCategories:
1. MerchantCer@ficates2. CardholderCer@ficates
The Hierarchical CA Architecture
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
119/171
(c)RahulBanerjee,BITS,
Pilani(India)119
TheHierarchicalCAArchitecture
The Root Certificate Authority (RCA)
The Brand Certificate Authority (BCA)
The Geo-Political Certificate Authority(GCA)
MCA PGCA CCA
Merchant
Certificates
Payment
Gateway
Cardholder
Certificates
Whoissuesandsignsthe
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
120/171
(c)RahulBanerjee,BITS,
Pilani(India)120
Cer@ficates?
A Certificate Authority is a Trusted entitythat issues, monitors, revokes, modifiesand cancels digital certificates for a
subscribers holding / requiringcertificates.
A digital certificate is signed with CAsprivate key.
In principle, certificates can be of severaltypes including Institutional AuthorityCertificates and Web Server Certificates.
Stepsinvolved
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
121/171
(c)RahulBanerjee,BITS,
Pilani(India)121
1.A pair of Private and Public keys is created bythe Requester.
2.Requester generates and encrypts a CertificateRequest using its private key and sends thecertificate request to your chosen CA .
3.CA initiates and completes a process to verifythe correctness of the information supplied bythe Requester.
4.The certificate for the Requester (who hereafterbecomes a Subscriber) is signed by a device that
holds the private key of the CA.5.The certificate is sent to the Subscriber.6.A copy of the issued Certificate is kept in
certificate repository / directory (so that usingLDAP etc. Certificates could be retrieved).
Cer@ficaterevoca@on
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
122/171
(c)RahulBanerjee,BITS,
Pilani(India)122
Certificate revocation: Canceling acertificate before than its originallyscheduled validity period.
Certificate Revocation Lists (CRL)A CRL is a time-stamped list ofrevoked certificates
Online Certificate Status Protocol isused for online verification.
TrustedversusUntrustedNetworks
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
123/171
(c)RahulBanerjee,BITS,
Pilani(India)123
My Network (PAN/LAN) Fully Trusted Partly Trusted
Our Network (LAN/MAN/WAN/WAI) Fully Trusted Partly Trusted Unsure
Other Networks (LAN/MAN/WAN/WAI)
Partly Trusted Untrusted
TheNetworkPerimeter
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
124/171
(c)RahulBanerjee,BITS,
Pilani(India)124
A Network / Internetwork Perimeter is asecure boundary of a network that mayinclude some or all of the following:
Firewalls Routers IDSVPN mechanisms DMZ Screened subnets
DMZ is outside the Firewall Screened subnet is an isolated sub-
network connected to a dedicatedfirewall interface
IntrusionDetec@onSystem
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
125/171
(c)RahulBanerjee,BITS,
Pilani(India)125
Intrusion Detection System (IDS) isa system that comprises of mechanisms / devices
involving one or more IntrusionDetection Sensors (traffic monitoringdevices / mechanisms) placed atsecurity-wise strategic locations; and,
Has been designed to detect anyknown or likely intrusion into theprotected network.
Types of IDS: Network-based IDS (NIDS) : Subnet-resident Host-based IDS (HIDS) : Host resident
Sensor reporting may involveseveral forms like logs, database
InternetworkFirewall
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
126/171
(c)RahulBanerjee,BITS,
Pilani(India)
126
Firewall is an internetwork securitydevice that
serves on the only access route thatconnects the internal network /internetwork (i.e. the segment to be
protected) to the external network (s) /internetwork (s); and,
decides about physically allowing / denyingentry / exit to / from the protected segment
using a set of policies (often manifested interms of rules) is called a Firewall.
A Firewall may be implemented inhardware / software / firmware or acombination of these.
Characteris@csofInternetFirewalls
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
127/171
(c)RahulBanerjee,BITS,
Pilani(India)
127
Characteristically, an Internet Firewall exhibits securitymeasures and internetwork-control-mechanisms relatedto but not necessarily limited to: Internet services as separated from the intranet services Service-based directional traffic User-specific / Class-specific / Group-specific service access Service-usage / deployment-behaviour Origin-specific / Destination-specific service / traffic /
monitoring / QoS-security bindings
Relaying / blocking / redirection of encapsulated and / orencrypted traffic
A common assumption (though debatable) made is thatthe Firewall itself is incorruptible / impenetrable
A firewall works under the assumption that it is solelyresponsible for blockade / allowance of any trafficbetween two or more than two networks / internetworksseparated by it.
Whatdoesafirewalldo?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
128/171
(c)RahulBanerjee,BITS,
Pilani(India)
128
As part of an Internetwork Security System, a
firewall:Allows defining exit and entry points for traffic
from and to the internal protected network /intranet
Offers a set of mechanisms and a set of locations /points for supervising security-sensitive activities /events / behaviour
Provides network-level encapsulation, encryption,decryption, decapsulation, tunnelling services
Permits a variable-security facility-zones creationthat may also offer some functionalities notnecessarily related to the security function that isthe primary function of the firewall
Supports creation and interpretation of structuredlogging mechanisms and files for a variety of
ur oses.
WhataFirewalldoesnotdo?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
129/171
(c)RahulBanerjee,BITS,
Pilani(India)
129
A Firewall is not meant for:
Virus / Worm / Trojan Horse / Logicbomb detection
Virus / Worm / Trojan Horse / Logicbomb removal
Semantic analysis of the application-to-application messages with certainexceptions
Protecting a network / internetworkfrom a trusted entity (client / server /user) or an internal authorized userwith adequate privileges
Protecting from power, link or protocolfailure
Cons@tuents&TypesofaFirewall
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
130/171
(c)RahulBanerjee,BITS,
Pilani(India)
130
Firewall Constituents:(some of these can serve as firewalls aswell)Application-level Gateways and Proxies Transport-level / Circuit-level Gateways and Proxies Network-level Gateways / Routers Packet filters (also known as Static Packet Filtering
Firewalls)
Bastion Host Screened Host
Types of Firewalls: Stateless Firewalls Stateful Inspection-based Firewalls Perimeter Firewalls Screened Host Firewalls Intranet Firewalls Internet Firewalls Extranet Firewalls
Examples of Commercial Firewalls
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
131/171
(c)RahulBanerjee,BITS,
Pilani(India)
131
ExamplesofCommercialFirewalls
Static Packet Filtering Firewall(implemented on a Router):
Example:
Nortels Accellar Router
Firewall Proxy Firewall:
Example:
Secure Computings
Sidewinder Firewall
Stateful Inspection-basedFirewall:
Example:
VirtualPrivateNetworks
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
132/171
(c)RahulBanerjee,BITS,
Pilani(India)
132
AVirtual Private Network (VPN) is a mechanismthat allows establishment of aprotected session
betweentwo network nodes / serviceslocated in / ontwo different protected networks / internetworksseparated by unprotected / untrusted / insecure(often public) networks / channels / infrastructure.
Example: Nortels Contivity, Ciscos VPN 3000Concatenator Another perspective: SSH, TLS, SSL, IPSec, L2TP,PPTP are choices providing different types ofsecurity at different layers.
Although, all of these could be reused in anappropriately designed VPN mechanism, often theL-3 and L-2 mechanisms are preferred by manyVPN designers.
Often, people refer to a VPN as a security device /mechanism on the perimeter of the protectednetwork / internetwork that allows encrypted
sessions.
AdvantagesofVPNs
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
133/171
(c)RahulBanerjee,BITS,
Pilani(India)
133
g
Capability to access remotenetwork as if there exists aprivate channel to that network
Several security optionsavailable to provide a range ofsecurity
Adequacy of lower-strengthencryption schemes on certain
occasions Cost-effective if well-designed,
well-implemented and well-configured
Can be uickl im lemented
DisadvantagesofVPNs
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
134/171
(c)RahulBanerjee,BITS,
Pilani(India)
134
Requirement of encryption, decryption,encapsulation and decapsulation induce a sizeableprocessing overhead, packet overhead and storageoverheads and may introduce latency as well asincrease cost of service
In some cases, if designed ad-hoc, certain networkinstallations may pose additional challenges inadding the VPN functionality due to the addedoverhead in packet processing.
Intricate design issues, unless handled carefully,may actually serve to lower the network
performance without really bring correspondingincrease in the security level of the network.
Implementation issues include VPN pass throughissues, NAT-specific issues and MTU-size relatedissues
DefiningtheControlZone
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
135/171
(c)RahulBanerjee,BITS,Pilani
(India)
135
g
The Control Zone:Consider a typical electronically controlled device like atape drive, hard disk drive or other gadget that operates in
an unshielded environment. Each such device emits signals
that can be sensed within a zone called Control Zone.For security reasons, it is important that:
No important information about any device operationleaks out of the target environment
No external body should be able to make use ofcontrol or data signals related to this device
TheConceptofSecurityServices
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
136/171
(c)RahulBanerjee,BITS,Pilani
(India)
136
Authentication ServiceAccess Control ServiceAvailability ServiceConfidentiality ServiceIntegrity ServiceIdentification: Author, Authorization, Endorsement,Approval, Access, Concurrence, Licensing, Certification,
Signature, Witness, Validation, Timestamps, Authenticity,
Ownership, Registration, Privacy / Confidentiality /Secrecy
Non-Repudiation Service
GSM network architecture
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
137/171
GSM network architecture
BSC
MSBTS
EIR
AUC
HLR
VLR
MSC
OMC
Um
A-bis
Voice Traffic
Mobility
mgt
A
PSTN/ISDN
(c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/
800,900,1900Mhz
Licensed&
expensiveSubscribermodelStartedoutlikePSTN,and
gengmore
complexPre-paid,
premiumrateSMS
WAP security architecture
WirelessApplica@onProtocol
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
138/171
WAP security architecture
(c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/
Bluetooth security architecture
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
139/171
Bluetooth security architecture
(c) http://www.cs.hut.fi/Opinnot/Tik-86.174/Bluetooth_Security.pdf
IEEE 802.11 architecture
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
140/171
(c) Source: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prdc_mcc_ardu.asp
Mobile IP
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
141/171
Mobile IP
Foreign Agent (FA)Home Agent (HA)
(c) Source: http://www.iab.org/Workshops/IAB-wireless-workshop/
Bindingupdateissue:IfIchangeFAhowdoItellhomeagentandpreviousFAsuchthatno-oneelsecanspoofthatmessage?
Andinaperformant,scalablemanner?MobileIPv6hasthisproblem(noFAthough,justcare-ofaddress)
J2ME
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
142/171
J2ME
J2ME includes somesecurity primitives forcode signing and tosupport (some)
application security
(c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/ & (c) Sun Microsystems Inc.
Common security issues
O h i (OTA) fid i li
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
143/171
Over the air (OTA) confidentialityBut don't ignore e.g. Microwave links usedafter a base station!
Data origin authentication/integrity forsome data and some origins
Bad use of cryptography Various types of fraud
Cloning of hostsRe-direction to premium rate
Authentication of node or user?
Security relevant differences
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
144/171
Security relevant differences
GSM's subscription model vs. 802.11'slack of a subscriber model
GSM Security
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
145/171
GSM Security
A3
Mobile Station Radio Link GSM Operator
A8
A5
A3
A8
A5
Ki Ki
Challenge RAND
KcKc
mi Encrypted Data mi
SIM
Signed response (SRES)SRESSRES
Fn Fn
Authentication: areSRES values equal?
GSM crypto breaks
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
146/171
Several researchers have developed breaksof GSM's use of encryption
Typically involve some known plaintext and quiteintensive (though do-able) memory and processing
e.g. Goldberg, Wagner, Green: requires difference in theplaintext of two GSM frames, which are exactly 2^11frames apart (6 seconds) with time complexity of 2^16 dotproducts of 114 bit vectors.
Base stations can also be impersonated
No authentication of BSC to ME!
(c) Source: http://choices.cs.uiuc.edu/MobilSec/posted_docs/
GSM Attack Details
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
147/171
GSM Encryption uses A5:A5/0 no encryptionA5/1 - strong encryptionA5/2 - export (i.e. designed weak) encryption
All use a 64-bit key generated from thenetwork's challenge
Same key bits regardless of algorithm!!!
GSM Attack Details (2)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
148/171
A5 is a stream cipherApplied after error correcting bits are
added
even though the attacker might not knowthe values of particular input bits,
they know that certain groups of them XORto 0
taking the same groups of encrypted bitsand XORing them
reveals the corresponding XOR of thekeystream bits
GSM Attack Details (3)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
149/171
GSM Attack Details (3)
Numbers:A5/2 passive attack (eavesdropping)
requires milliseconds of ciphertext!
A5/1 ciphertext only attack: 5 minutes of intercepted frames (doesn't have
to be one call)
4.4 terabytes of disk a lab full of 2003 AD type PCs for a year's worth
of one-time precomputation
Active attacks: bid down to A5/2
Wardriving / boating
IEEE802.11security
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
150/171
g g
http://www.catalina42.org/war-sail/
Picking up IEEE 802.11access points as you cycle/drive/fly/sail past Many of these give(sometimes intentionally)open access to the Internet
802.11 security overview
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
151/171
Good setup depends on network topology There are a few choices
WEP is broken and IPsec should be usedinstead as much as possible (probably intunnel mode)
TLS should then be used wherever sensible aboveIPsec (e.g. IMAP over SSL)
Then secure applications should be usedwhere possible
Probably based on proprietary protocols (whichmay make use of standard constructs likePKCS#7)
WEP Encapsulation
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
152/171
p
802.11 Hdr Data
WEP Encapsulation Summary:
Encryption Algorithm = RC4Per-packet encryption key = 24-bit IV concatenated to a pre-shared keyWEP allows IV to be reused with any frame
Data integrity provided by CRC-32 of the plaintext data (the ICV)Data and ICV are encrypted under the per-packet encryption key
802.11 Hdr DataIV ICV
Encapsulate Decapsulate
Properties of Vernam Ciphers(1)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
153/171
( )
The WEP encryption algorithm RC4 is a Vernam Cipher:
Pseudo-randomnumbergeneratorEncryption Key K
Plaintext data bytep
Random byte b
Ciphertext data bytec
Decryption works the same way:p = cb
Properties of Vernam Ciphers(2)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
154/171
( )
Thought experiment 1: what happens whenp1 andp2 areencrypted under the same random byte b?
c1 =p1b c2 =p2bThen:
Conclusion: it is a very bad idea to encrypt any two bytes of datausing the same byte output by a Vernam Cipher PRNG.
c1c2 = (p1b) (p2b) =p1p2
How to Read WEP EncryptedTraffic (1)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
155/171
Traffic (1)
By the Birthday Paradox, probability Pn two packets will share same IVafter n packets is P2 = 1/2
24 after two frames and Pn = Pn1 + (n1)(1Pn1)/224 for n > 2.
50% chance of a collision exists already after only 4823 packets!!!Pattern recognition can disentangle the XOR-ed recovered plaintext.Recovered ICV can tell you when youve disentangled plaintext correctly.After only a few hours of observation, you can recover all 224 key streams.
802.11 Hdr DataIV ICV
24 luxurious bits Encrypted under Key +IV using aVernam Cipher
How to Read WEP Encryptedff ( )
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
156/171
Traffic (2) Ways to accelerate the process:
Send spam into the network: no pattern recognitionrequired!
Get the victim to send e-mail to you The AP creates the plaintext for you!
Decrypt packets from one Station to another via anAccess Point
If you know the plaintext on one leg of the journey, you canrecover the key stream immediately on the other
Fixing WEP Protect against ALL known threats:
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
157/171
g IV Collisions Weak Keys Message Forgery Replay Two alternatives: Short-term and long-term
Short-term: Temporal Key Integrity Protocol (TKIP) Does not require new hardware (but firmware/
software)
Some performance penalty Longer term
Move to AES based primitives with proper keymanagement
The 802.11x security scheme
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
158/171
A reasonable 802.11configuration
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
159/171
g
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
WLAN topologies
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
160/171
p g
Sensible network topologiesCorporate (small WLAN)Corporate (widespread WLAN)Service providerVolunteerism
Network topology issuesNetwork accessAddress allocation (DHCP)NAT/private addressesFirewall location and rulesets
Some Interesting Networks Mobile Ad-hoc networks:
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
161/171
Idea is that a network emerges from nodeswhich just happen to be in the vicinity(AODV)
Delay tolerant networks Sensor networks Issues:
Mainly academic at the momentSecurity not really thought all the waythrough for these yet
Pervasive / Ubiquitous Computing
Wh t if l d d l d f thi (d TV
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
162/171
What if loads and loads of things (doors, TVs,couches) were nodes on a network? Hot topic How do you secure these systems?
TCD and partners SECURE project http://secure.dsg.cs.tcd.ie/
Conclusions (1)
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
163/171
There are a range of different types of mobilenetwork GSM and 802.11 are the interesting ones
Security hasn't been handled well for these Nor was it for the wired Internet for a loooong time! There are substantial security problems with
today's deployed mobile networks
So, overlaying a VPN is probably a good ideain most cases
And overlay that with TLS and that with applicationsecurity if you can
Conclusions (2)
U ll l i t l f bil
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
164/171
Users are generally less in control of mobilenetworks Bandwidth is allocated Manufacturer/Operator/Subscriber model differs
from wired Internet
e.g. Closed operating systems Network security is given and not easily fixed/
managed
So, try to gain control of your applications andtry to secure the applications themselves Better if wireless technology changes anyway Can create a porting headache though
Acknowledgements
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
165/171
(c)RahulBanerjee,BITS,
Pilani(India)165
Some of these slides have been inspiredby / borrowed from some well-receivedpresentations made in different partsof the world.
All inspired / reused slides either carrytheir respective copyrightinformation on them or have beenacknowledged about their sources in agroup just after / before their respectiveusage herein.
These slides are being used here purelyfor instructional purposes during a livesession for the registered students of
Anyques@ons?
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
166/171
(c)RahulBanerjee,BITS,
Pilani(India)166
Thank you!
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
167/171
Case-StudyofofaNetwork-Based
Mul@-siteCollabora@onSystemDesign
BITS-Connect 2.0 built atop theMPLS Cloud, not cloud computing!
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
168/171
BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956
Project BITS-Connect 2.0
The Immersive Tele-presence Rooms
Thi i h
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
169/171
BITS Pilani, Deemed to be University under Section 3 of UGC Act, 1956
This is how an18-seaterimmersive tele-
presence room
looks like at all
the Indiancampuses.
Chancellorsofficeisequippedwith
onetwo-seater
system
References
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
170/171
Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach,Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011.
S. Keshav: Computer Networking: An Engineering Approach, PearsonEducation, New Delhi, 1997.
A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, NewDelhi, 2012.
Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers,Oxford University Press, New York, 2002.
A. Leon Garcia and I. Widjaja: Communication Networks: FundamentalConcepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi,2004.
Mohammed G. Gouda: Elements of Network Protocol Design, Wiley StudentEdition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004.
Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory andPerformance Evaluation, Third Edition, Springer-Verlag, New York, 2000.
15/02/13 (c)Dr.RahulBanerjee,BITSPilani,INDIA 170
References
-
7/28/2019 CSC461-CN-Lecture-15-Feb.-13-2013
171/171
Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach,Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011.
S. Keshav: Computer Networking: An Engineering Approach, PearsonEducation, New Delhi, 1997.
A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, NewDelhi, 2012.
Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers,Oxford University Press, New York, 2002.
A. Leon Garcia and I. Widjaja: Communication Networks: FundamentalConcepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi,2004.
Mohammed G. Gouda: Elements of Network Protocol Design, Wiley StudentEdition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004.
Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory andPerformance Evaluation Third Edition Springer-Verlag New York 2000