INSF 612Review

Chapter 4: Network LayerChapter goals: • understand principles

behind network layer services:– routing (path selection)

– dealing with scale

– how a router works

– advanced topics: IPv6, multicast

• instantiation and implementation in the Internet

Overview:• network layer services• routing principle: path selection• hierarchical routing• IP• Internet routing protocols

reliable transfer– intra-domain– inter-domain

• what’s inside a router?• IPv6• multicast routing

Highlights• Packet switching and circuit switching• Routing Algorithms

– Dijkstra and Bellman-ford– Performance– Scalability– Stability

• Know how to compute routes– Change in link cost– Poisoned reverse

Comparison of LS and DV algorithmsMessage complexity• LS: with n nodes, E links, O(nE)

msgs sent each • DV: exchange between

neighbors only– convergence time varies

Speed of Convergence• LS: O(n**2) algorithm requires

O(nE) msgs– may have oscillations

• DV: convergence time varies– may be routing loops– count-to-infinity problem

Robustness: what happens if router malfunctions?

LS: – node can advertise incorrect

link cost– each node computes only its

own table

DV:– DV node can advertise

incorrect path cost– each node’s table used by

others • error propagate thru network

Hierarchical Routing

scale: with 50 million destinations:

• can’t store all dest’s in routing tables!

• routing table exchange would swamp links!

administrative autonomy• internet = network of

networks

• each network admin may want to control routing in its own network

Our routing study thus far - idealization • all routers identical• network “flat”

… not true in practice

Intra-AS and Inter-AS routing

Host h2

a

b

b

aaC

A

Bd c

A.a

A.c

C.bB.a

cb

Hosth1

Intra-AS routingwithin AS A

Inter-AS routingbetween A and B

Intra-AS routingwithin AS B

• We’ll examine specific inter-AS and intra-AS Internet routing protocols shortly

The Internet Network layer

routingtable

Host, router network layer functions:

Routing protocols•path selection•RIP, OSPF, BGP

IP protocol•addressing conventions•datagram format•packet handling conventions

ICMP protocol•error reporting•router “signaling”

Transport layer: TCP, UDP

Link layer

physical layer

Networklayer

IP Addressing: introduction• IP address: 32-bit

identifier for host, router interface

• interface: connection between host, router and physical link– router’s typically have

multiple interfaces– host may have multiple

interfaces– IP addresses associated

with interface, not host, router

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

223.1.1.1 = 11011111 00000001 00000001 00000001

223 1 11

IP Fragmentation and ReassemblyID=x

offset=0

fragflag=0

length=4000

ID=x

offset=0

fragflag=1

length=1500

ID=x

offset=1480

fragflag=1

length=1500

ID=x

offset=2960

fragflag=0

length=1040

One large datagram becomesseveral smaller datagrams

Why different Intra- and Inter-AS routing ? Policy: • Inter-AS: admin wants control over how its traffic

routed, who routes through its net. • Intra-AS: single admin, so no policy decisions needed

Scale:• hierarchical routing saves table size, reduced update

trafficPerformance: • Intra-AS: can focus on performance• Inter-AS: policy may dominate over performance

Router Architecture Overview

Two key router functions:

• run routing algorithms/protocol (RIP, OSPF, BGP)• switching datagrams from incoming to outgoing link

IPv6• Initial motivation: 32-bit address space

completely allocated by 2008. • Additional motivation:

– header format helps speed processing/forwarding– header changes to facilitate QoS – new “anycast” address: route to “best” of several

replicated servers

• IPv6 datagram format: – fixed-length 40 byte header– no fragmentation allowed

Chapter 7: Network securityFoundations: • what is security?

• cryptography

• authentication

• message integrity

• key distribution and certification

Security in practice:• application layer: secure e-mail

• transport layer: Internet commerce, SSL, SET

• network layer: IP security

Symmetric key cryptographysubstitution cipher: substituting one thing for another

– monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc

E.g.:

Q: How hard to break this simple cipher?:•brute force (how hard?)•other?

Public Key Cryptography

symmetric key crypto• requires sender,

receiver know shared secret key

• Q: how to agree on key in first place (particularly if never “met”)?

public key cryptography• radically different

approach [Diffie-Hellman76, RSA78]

• sender, receiver do not share secret key

• encryption key public (known to all)

• decryption key private (known only to receiver)

RSA: Choosing keys1. Choose two large prime numbers p, q. (e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

Digital Signatures Cryptographic technique

analogous to hand-written signatures.

• Sender (Bob) digitally signs document, establishing he is document owner/creator.

• Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document.

Simple digital signature for message m:

• Bob encrypts m with his public key dB, creating signed message, dB(m).

• Bob sends m and dB(m) to Alice.

Hash Function Algorithms• Internet checksum

would make a poor message digest.– Too easy to find

two messages with same checksum.

• MD5 hash function widely used.

– Computes 128-bit message digest in 4-step process.

– arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x.

• SHA-1 is also used.

– US standard

– 160-bit message digest

Hash Function Algorithms• Internet checksum

would make a poor message digest.– Too easy to find

two messages with same checksum.

• MD5 hash function widely used.

– Computes 128-bit message digest in 4-step process.

– arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x.

• SHA-1 is also used.

– US standard

– 160-bit message digest

Key Distribution Center (KDC)• Alice,Bob need shared

symmetric key.• KDC: server shares

different secret key with each registered user.

• Alice, Bob know own symmetric keys, KA-

KDC KB-KDC , for communicating with KDC.

• Alice communicates with KDC, gets session key R1, and KB-

KDC(A,R1)

• Alice sends Bob KB-KDC(A,R1), Bob extracts R1

• Alice, Bob now share the symmetric key R1.

Certification Authorities• Certification authority

(CA) binds public key to particular entity.

• Entity (person, router, etc.) can register its public key with CA.– Entity provides “proof

of identity” to CA. – CA creates certificate

binding entity to public key.

– Certificate digitally signed by CA.

• When Alice wants Bob’s public key:

• gets Bob’s certificate (Bob or elsewhere).

• Apply CA’s public key to Bob’s certificate, get Bob’s public key

Pretty good privacy (PGP)

• Internet e-mail encryption scheme, a de-facto standard.

• Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.

• Provides secrecy, sender authentication, integrity.

• Inventor, Phil Zimmerman, was target of 3-year federal investigation.

---BEGIN PGP SIGNED MESSAGE---Hash: SHA1

Bob:My husband is out of town tonight.Passionately yours, Alice

---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/

12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2

---END PGP SIGNATURE---

A PGP signed message:

Secure sockets layer (SSL)

• PGP provides security for a specific network app.

• SSL works at transport layer. Provides security to any TCP-based app using SSL services.

• SSL: used between WWW browsers, servers for I-commerce (shttp).

• SSL security services:– server authentication– data encryption – client authentication

(optional)

• Server authentication:– SSL-enabled browser includes

public keys for trusted CAs.

– Browser requests server certificate, issued by trusted CA.

– Browser uses CA’s public key to extract server’s public key from certificate.

• Visit your browser’s security menu to see its trusted CAs.

Ipsec: Network Layer Security• Network-layer secrecy:

– sending host encrypts the data in IP datagram

– TCP and UDP segments; ICMP and SNMP messages.

• Network-layer authentication

– destination host can authenticate source IP address

• Two principle protocols:

– authentication header (AH) protocol

– encapsulation security payload (ESP) protocol

• For both AH and ESP, source, destination handshake:– create network-layer

logical channel called a service agreement (SA)

• Each SA unidirectional.• Uniquely determined by:

– security protocol (AH or ESP)

– source IP address– 32-bit connection ID

Network Security (summary)Basic techniques…...• cryptography (symmetric and public)• authentication• message integrity…. used in many different security scenarios• secure email• secure transport (SSL)• IP sec

See also: firewalls , in network management

Chapter 8: Network ManagementChapter goals: • introduction to network management

– motivation– major components

• Internet network management framework– MIB: management information base– SMI: data definition language– SNMP: protocol for network management– security and administration

• presentation services: ASN.1• firewalls

SNMP overview: 4 key parts• Management information base (MIB):

– distributed information store of network management data

• Structure of Management Information (SMI):– data definition language for MIB objects

• SNMP protocol– convey manager<->managed object info, commands

• security, administration capabilities– major addition in SNMPv3

Network Management standards

OSI CMIP• Common Management

Information Protocol• designed 1980’s: the

unifying net management standard

• too slowly standardized

SNMP: Simple Network Management Protocol

• Internet roots (SGMP)• started simple• deployed, adopted rapidly• growth: size, complexity• currently: SNMP V3• de facto network

management standard

SNMP Namingquestion: how to name every possible standard object

(protocol, data, more..) in every possible network standard??

answer: ISO Object Identifier tree: – hierarchical naming of all objects

– each branchpoint has name, number

1.3.6.1.2.1.7.1ISO

ISO-ident. Org.US DoDInternet

udpInDatagramsUDPMIB2management

Check out www.alvestrand.no/harald/objectid/top.html

OSI Object

Identifier Tree

TLV EncodingIdea: transmitted data is self-identifying

– T: data type, one of ASN.1-defined types

– L: length of data in bytes

– V: value of data, encoded according to ASN.1 standard

1234569

BooleanIntegerBitstringOctet stringNullObject IdentifierReal

Tag Value Type

Firewalls

Two firewall types:– packet filter– application gateways

To prevent denial of service attacks:– SYN flooding: attacker

establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections.

To prevent illegal modification of internal data.

– e.g., attacker replaces CIA’s homepage with something else

To prevent intruders from obtaining secret info.

isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.

firewall

Chapter 5: The Data Link LayerOur goals: • understand principles

behind data link layer services:– error detection, correction– sharing a broadcast

channel: multiple access– link layer addressing– reliable data transfer,

flow control: done!

• instantiation and implementation of various link layer technologies

Overview:• link layer services• error detection, correction• multiple access protocols and

LANs• link layer addressing, ARP• specific link layer

technologies:– Ethernet– hibs, bridges, switches– IEEE 802.11 LANs– PPP– ATM

Checksumming: Cyclic Redundancy Check

• view data bits, D, as a binary number

• choose r+1 bit pattern (generator), G

• goal: choose r CRC bits, R, such that– <D,R> exactly divisible by G (modulo 2)

– receiver knows G, divides <D,R> by G. If non-zero remainder: error detected!

– can detect all burst errors less than r+1 bits

• widely used in practice (ATM, HDCL)

MAC Protocols: a taxonomy

Three broad classes:• Channel Partitioning

– divide channel into smaller “pieces” (time slots, frequency)

– allocate piece to node for exclusive use

• Random Access– allow collisions– “recover” from collisions

• “Taking turns”– tightly coordinate shared access to avoid collisions

Goal: efficient, fair, simple, decentralized

Slotted Aloha• time is divided into equal size slots (= pkt trans. time)• node with new arriving pkt: transmit at beginning of

next slot • if collision: retransmit pkt in future slots with

probability p, until successful.

Success (S), Collision (C), Empty (E) slots

Pure (unslotted) ALOHA• unslotted Aloha: simpler, no synchronization• pkt needs transmission:

– send without awaiting for beginning of slot

• collision probability increases:– pkt sent at t0 collide with other pkts sent in [t0-1, t0+1]

MAC Protocols: a taxonomy

Three broad classes:• Channel Partitioning

– divide channel into smaller “pieces” (time slots, frequency)

– allocate piece to node for exclusive use

• Random Access– allow collisions– “recover” from collisions

• “Taking turns”– tightly coordinate shared access to avoid collisions

Goal: efficient, fair, simple, decentralized

“Taking Turns” MAC protocols

channel partitioning MAC protocols:– share channel efficiently at high load– inefficient at low load: delay in channel access, 1/N

bandwidth allocated even if only 1 active node! Random access MAC protocols

– efficient at low load: single node can fully utilize channel

– high load: collision overhead“taking turns” protocols

look for best of both worlds!

Reservation-based protocolsDistributed Polling: • time divided into slots

• begins with N short reservation slots

– reservation slot time equal to channel end-end propagation delay

– station with message to send posts reservation

– reservation seen by all stations

• after reservation slots, message transmissions ordered by

known priority