Layer 3 Protocols(A coincise overview)

Ardhendu Sekhar Sinha

IntroductionThis presentation will cover the following layer 3 Protocols and techniques.

Routing Protocols - • BGP ( Border Gateway Protocol )• IS-IS ( Intermediate System-to-Intermediate System )• OSPF ( Open Shortest Path First )• RIP ( Routing Information Protocol )• NDP ( IPV6 Neighbor Discovery Protocol )• HIP ( Host Identity Protocol )

Multicasting Protocols - • IGMP ( Internet Group Management Protocol )

Loop Avoidance Techniques

BGP ( Border Gateway Protocol )Description –It is an Exterior Gateway Protocol (EGP). It exchanges routing information (Summaries of Network Routes) between gateway hosts (each with its own router) in a network of Autonomous Systems (ISPs). The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. It uses TCP as its transport protocol (port 179).

Two BGP routers form a TCP connection between one another (peer routers) and exchange messages to open and confirm the connection parameters. It sends updated router table information (Only the changed part ) when one host has detected a change of the routing table. Internet BGP routing tables have over 300,000 active forwarding entries with summarization of over 2 billion addresses.

BGP Speaker - A router that has been configured to run the BGP routing protocol is called a BGP speaker.

Autonomous system (AS) - It is a set of routers that use the same routing policy while running under a single technical administration. An AS runs interior gateway protocols (IGPs) such as RIP, OSPF, and IS-IS within its boundaries. ASs use exterior gateway protocols (EGPs) to exchange routing information with other ASs. The outside world views an AS as a single entity, even though it could be a collection of IGPs working together to provide routing within its interior.

BGP ( Border Gateway Protocol )Sessions - • Internal BGP (iBGP) - When two BGP speakers are in the same autonomous system • External BGP ( eBGP) - When two BGP speakers are in different autonomous systems

eBGP multihop - Allows the neighbor connection to be established between two non−directly−connected external peers. e.g. a Cisco router can run eBGP with a third party router that doesn't allow the two external peers to be directly connected. The multihop is used only for eBGP and not for iBGP.

Some important attributes with each IP prefix – • AS path - list of AS numbers that a route has traversed in order to reach a destination.• Local preference - indication to the AS about which path is preferred to exit the AS in

order to reach a certain network. A path with a higher local preference is more preferred.• Multi-exit discriminator (MED) - gives adjacent ISPs ability to prefer one peering point

over another.

BGP-V4 Features – • Provides a new set of mechanisms for supporting class less inter-domain routing (CIDR).

These mechanisms include support for advertising an IP prefix and eliminate the concept of network “class” within BGP.

• Introduces mechanisms which allow aggregation of routes, including aggregation of AS paths.

IS-IS ( Intermediate System-to-Intermediate System )Description - It is a link-state protocol. In this protocol routers exchange routing information based on a single metric to determine network topology. It behaves similar to Open Shortest Path First (OSPF) in the TCP/IP network. It is faster converging, supports much larger internetworks and is less susceptible to routing loops.

Functionality – Clients are called “End systems”. Routers are called “Intermediate systems” (IS). Routers are organized into local groups called areas. Several areas are grouped together into a domain. It uses two levels of hierarchical routing. • Level 1 - These routers know the topology in their area, including all routers and hosts,

but they do not know the identity of routers or destinations outside of their area. Level 1 routers forward all traffic to a level 2 router within their area for traffic destinations outside of their area.

• Level 2 - These routers knows the level 2 topology. Level 2 routers do not need to know the topology within any level 1 area.

IS-IS ( Intermediate System-to-Intermediate System )

P2P link Flooding - Each router creates an LSP and flood it to neighbours. Each router maintains a separate LSDB for level-1 and level-2 LSPs. New LSPs are flooded to all neighbors. Once the adjacency is established both routers send CSNP packet. LAN Flooding - There’s a Designated Router (DIS). It conducts the flooding (CNSP) over the LAN to synchronize LSDB over LAN subnets. All routers in the LAN check the CSNP against their own LSDB and update it.

LSP (Link State PDU) – The header contains LSP-id, Sequence number, Type of LSP (level-1, level-2) etc and the data contains Area addresses, IS neighbors etc.CNSP (Complete Sequence Number PDU)- Describes all LSPs in the LSDB. If LSDB is large, multiple CSNPs are sent.

Two types of IS-IS addresses :Network Service Access Point (NSAP) - NSAP addresses identify network layer services, one for each service running.Network Entity Title (NET) - NET addresses identify network layer entities or processes instead of services.

OSPF ( Open Shortest Path First )Description –It is a link-state routing protocol that was developed for IP networks and is based on the Shortest Path First (SPF) algorithm. It is used for routing between routers belonging to a single Autonomous System.

Functionality -Each OSPF router maintains an identical database describing the Autonomous System’s topology. From this database, a routing table is calculated by constructing a shortest- path tree. It recalculates routes quickly when a topological change occurs, utilizing a minimum of routing protocol traffic. More than one OSPF process can be configured in a router but SPF calculation associated with multiple processes can consume a considerable amount of CPU and memory.

Features - • no hop count limitations. • understands variable-length subnet masks (VLSMs) and allows for summarization.• uses multicasts (not broadcasts) to send updates.• converges much faster because OSPF propagates changes immediately.• allows for load balancing with up to six equal-cost paths.• authentication available.• allows for tagging of external routes injected by other autonomous systems.

OSPF ( Open Shortest Path First )

OSPF network types – OSPF assumes that, within a subnet all routers can communicate directly using multicasts and that no router is uniquely positioned in the topology. If five routers are attached to a switch, a multicast from one reaches the other four and each would be fine as a designated router (DR).This assumption does not hold good for NBMA.

• Broadcast – It requires a DR. OSPF defines this interface network type to use multicast Hellos to dynamically discover neighbors, allows more than two routers to be in the same subnet and to attempt to elect a DR.

• point-to-point - only two OSPF routers can exist in the subnet, neighbors can be dynamically discovered through Hellos and the routers do not elect a DR.

• point-to-multipoint (NonBroadcast) – It does not involve a DR election; this OSPF network type is less efficient in a full mesh, but fine with a partial mesh. It is more tolerant of network changes than the broadcast option.

• NBMA (non-broadcast multiple access) - In an NBMA configuration, OSPF sends HELLO packets (packets sent periodically to establish and confirm neighbor relationships between routers) to each router one at a time rather than multicasting them. The HELLO timer (which tells the router how often to send HELLO packets) is extended from 10 to 30 seconds and the dead router timer (which tells the router how long to wait before it decides that a neighboring router is not functioning) is extended from 40 to 120 seconds.

(RIP) Routing Information ProtocolDescription - RIP is a standardized Distance Vector protocol, designed for use on smaller networks. It is used to exchange of routing information among gateways and hosts. This protocol is most useful as an interior gateway protocol (i.e. within an autonomous system) and is supported on a wide variety of systems. It is suitable for small networks using serial lines whose speeds do not vary widely and is not intended for use in more complex environments.

Functionality-• sends out routing updates every 30 seconds.• sends out the full routing table every periodic update• It uses hopcount as its metric (max hopcount 15 )• uses the Bellman-Ford Distance Vector algorithm to determine the best “path” to

a particular destination• If multiple paths exist to a particular destination, RIP will load balance between

those paths by default (up to 4 only ) if the metric (hopcount) is equal. • It uses a round-robin system of load-balancing between equal metric routes which

can lead to pinhole congestion (slower link to become congested).

(RIP) Routing Information ProtocolRIP has two versions - Version 1 (RIPv1) and Version 2 (RIPv2).

RIPv1 – • does not include the subnet mask with its routing table updates, therefore it does not

support Variable Length Subnet Masks (VLSMs). • It requires networks must be contiguous and subnets of a major network must be

configured with identical subnet masks else route table inconsistencies will occur.• sends updates as broadcasts to address 255.255.255.255.

RIPv2 - • supports VLSMs, allowing discontiguous networks and varying subnet masks to exist.• Routing updates are sent via multicast using address 224.0.0.9• Includes the subnet mask with its routing table updates. • Encrypted authentication can be configured between RIPv2 routers.• Route tagging is supported.

RIPv2 can interoperate with RIPv1By default. In this case following will occur• RIPv1 routers will sent only Version 1 packets• RIPv1 routers will receive both Version 1 and 2 updates• RIPv2 routers will both send and receive only Version 2 updatesversion of RIP a particular interface will “send” or “receive.” can be controlled.

(RIP) Routing Information ProtocolRIP Timers – • Update Timer (default 30 seconds) – indicates how often the router willsend out a routing table update.

• Invalid Timer (default 180 seconds) – indicates how long a route will remain in a routingtable before being marked as invalid, if no new updates are heard about this route. The invalid timer will be reset if an update is received for that particular route before the timer expires.

• Hold-down Timer (default 180 seconds) – indicates how long RIP will “suppress” a routethat it has placed in a hold-down state. It will not accept any new updates for routes in a hold-down state, until the hold-down timer expires. A route will enter a hold-down state for one of three reasons:- Invalid timer has expired.- An update has been received from a router marking that route with a metric of 16

(unreachable). - An update has been received from another router, marking that route with a higher metric

than what is currently in the routing table.

• Flush Timer (default 240 seconds) – indicates how long a route can remain in a routing table before being flushed, if no new updates are heard about this route. it runs concurrently with the invalid timer, and thus will flush out a route 60 seconds after it has been marked invalid.

IPV6 NDP ( Neighbor Discovery Protocol )Description–This protocol solves a set of problems related to the interaction between nodes (hosts and routers) attached to the same link. Nodes use Neighbor Discovery to determine the link-layer addresses for neighbors known to reside on attached links. It also uses the protocol to actively keep track of which neighbors are reachable and to detect changed link-layer addresses.

It defines mechanisms for solving following problems -

• Router Discovery - Hosts locate routers that reside on an attached link. • Prefix Discovery - Hosts discover set of address prefixes that define which destinations

are on-link for an attached link. • Address Auto configuration - Nodes automatically configure an address for an interface. • Address resolution - Nodes determine the link-layer address of an on-link destination

given only the destination's IP address. • Next-hop determination - The algorithm for mapping an IP destination address into the IP

address of the neighbor through which destination traffic should be sent. • Neighbor Unreachability Detection - Nodes determine reachability of a neighbor.• Duplicate Address Detection - Node determines that an address it wishes to use is not

already in use by another node. • Redirect – a router informs a host of a better first-hop node to reach a particular

destination.

IPV6 NDP ( Neighbor Discovery Protocol )NDP uses following ICMPV6 messages for

Router Solicitation - When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.

Router Advertisement - Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc.

Neighbor Solicitation - Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address.

Neighbor Advertisement – Sent by a Node as a response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change

Redirect - Used by routers to inform hosts of a better first hop for a destination.

Duplicate Address Detection (DAD) - Neighbor Solicitation messages are used for Duplicate Address Detection.

IPV6 NDP ( Neighbor Discovery Protocol )Node Discovery Process –

Problem - node A wants to deliver packets to destination node B using the IPv6 on the same local link. However, node A does not know node B's link-layer address. Procedure - • Node A sends an ICMPv6 Type 135 message (neighbor solicitation) on the local link (with its site-

local address as the IPv6 source address, solicited-node multicast address corresponding to the target address as the destination IPv6 address and the source link-layer address of the sender(node A) as data of the ICMPv6 message. The source link-layer address of this frame is the link-layer address of node A. The destination link-layer address of this frame uses multicast mapping of the destination IPv6 address.

• Node B, which is listening to the local link for multicast addresses, intercepts the neighbor solicitation message because the destination IPv6 address represents the solicited-node multicast address corresponding to its IPv6 address.

• Node B replies by sending a neighbor advertisement message using its site-local address as the

IPv6 source address and the site-local address as the destination IPv6 address. It also includes its link-layer address in the ICMPv6 message.

• After receiving neighbor solicitation and neighbor advertisement messages, node A and node B know each other's link-layer addresses. Learned link-layer addresses are kept in a neighbor discovery table (neighbor cache). Now both the nodes can communicate on the local link.

IPV6 NDP ( Neighbor Discovery Protocol )Neighbor Unreachability Detection - To verify the reachability of neighbor nodes in the neighbor discovery table, neighbor solicitation message is used with unicast addresses of the neighbor nodes as destination IPv6 addresses instead of solicited-node multicast addresses.

Security - IPsec AH can be used with NDP messages to enhance security. Also the hosts can verify through AH that Neighbor Advertisements and Router Advertisements do contain proper and accurate information. IPsec can be used in NDP only through manual configuration of Security Associations (SA).

Mapping of ICMPV6 messages to NDP Functionality -

ICMPv6 Type Name of Message NDP FunctionalityType 133 Router Solicitation (RS) Router/Prefix Discover

Type 134 Router Advertisement (RA) Router Adverstisement

Type 135 Neighbor Solicitation (NS)DAD/Address

resolution/unreachable detection

Type 136 Neighbor Advertisement (NA) Address resolution

Type 137 Redirect Message Redirection

HIP ( Host Identity Protocol )Description - A host and its location are identified using Internet Protocol (IP) addresses in the current Internet architecture. Now a days a considerable amount of hosts are portable devices. They often change their IP addresses due to mobility. So mobility and multihoming are hard to implement securely in the present Internet.

This Protocol is a host identification technology for use on Internet Protocol (IP) networks, such as the Internet. It enables host mobility and multihoming across different address families (IPv4 and IPv6), offers end-to-end encryption and protection against attacks, allows moving away from IP address-based access control to permanent host identities, and restores end-to-end host identification in the presence of several addressing domains separated by Network Address Translation (NAT) devices.

This protocol separates the identity of a host from its location. It uses IP in network layer for routing packets and public key (host identity) in transport and application layers.

Host Identity Tag (HIT) - 128-bit-long bit string – It is constructed by applying a cryptographic hash function over the public key.

Host Identity – it contains HIT.

HIP ( Host Identity Protocol )Functionality – • Each host creates one or more public/private key pairs to provide identities for itself. A client host obtains the host identity of a server typically from the Domain Name System (DNS) or a Distributed Hash Table (DHT). For environments where DHT not supported, public key of the server is added to the known host list after the first connection.

• To communicate using HIP, Initially two hosts (client and server ) establish a HIP association called HIP Base Exchange (BEX). In this process private keys corresponding to host identifiers are possessed by their peers and a pair of IPsec Encapsulated Security Payload (ESP) Security Associations (SAs) for each direction is created.

• Now both client and server communicates using IPsec ESP messages.

• As neither transport layer connections nor security associations created after the HIP base exchange are bound to IP addresses, a mobile client can change its IP address and continue to transmit ESP-protected packets to its peer.

HIP supports such mobility events by implementing an end-to-end three-way UPDATE signaling mechanism between communicating nodes.

HIP ( Host Identity Protocol )

• For two hosts behind NAT applications and firewalls, HIP enables communicate through a Rendezvous server and uses User Datagram Protocol (UDP)-based encapsulation (provided by the Interactive Connectivity Establishment (ICE) protocol).

• HIP multihome uses the same mechanisms as mobility for updating the peer with a current set of host IP addresses.

• HIP provides a network layer alternative to using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for application security.

• Most Internet applications can run unmodified over HIP, although only applications using the extended socket interface can take better advantage of the new features that HIP provides.

IGMP ( Internal Gateway Multicast Protocol )Description –The Internet Group Management Protocol (IGMP) is a communications protocol used by IPv4 hosts to establish multicast group memberships to any immediately neighboring multicast routers. It can be used for collecting the membership information needed by its multicast routing protocol (multicast router part) and to inform itself and other neighboring multicast routers of its memberships (group member part). If an IP multicast router is itself a member of one or more multicast groups, then it can perform both as "multicast router part" and the "group member part" of the protocol.

Functionality:IGMP operates between the client computer and a local multicast router. A network switch is used to listen in on the IGMP conversation between hosts and routers (IGMP snooping). By listening to these conversations the switch maintains a map of which links need which IP multicast streams. Protocol Independent Multicast (PIM) is then used between the local and remote multicast routers to direct multicast traffic from the multicast server to many multicast clients.

IGMP can be used for one-to-many networking applications such as online streaming video/gaming and allow more efficient use of resources while supporting these kind of applications.

IGMP ( Internal Gateway Multicast Protocol )IGMP has versions v1, v2 and v3.

IGMPv1: Hosts can join multicast groups. There are no leave messages. Routers use a time-out based mechanism to discover the groups that are of no interest to the members.

IGMPv2: Leave messages were added to the protocol, allowing group membership termination to be quickly reported to the routing protocol, which is important forhigh-bandwidth multicast groups and/or subnets with highly volatile group membership.

IGMPv3: A major revision of the protocol allows hosts to specify the list of hosts from which they want to receive traffic. Traffic from other hosts is blocked inside the network.It also allows hosts to block inside the network packets that come from sources that send unwanted traffic. A single membership report now bundles multiple multicast group records to decrease the number of packets sent.

State-Change Messages – A forged State-Change Report message will cause extra processing on each router and on each member of the group. It can be ignored if source address of the packet is not identified as belonging to a subnet assigned to the interface on which the packet was received.

Loop Avoidance TechniquesProblem Description - When a data packet is continually routed through the same routers over and over again, the data packets continue to be routed within the network in an endless circle. This phenomenon is called as routing loop.

Example - RIP updates are broadcast every 30 seconds by default. Due to slow convergence, routers may not learn about topology changes in a timely manner. Hence it will repeatedly broadcast updates based on outdated or incorrect route information causing datagrams to bounce between routers endlessly causing the routers to start a count to infinity.

It can completely disable the network. This problem is associated with Distance Vector Protocols.

Loop avoidance techniques or combinations of these techniques can minimize routing loops passing on incorrect routing information.

Loop Avoidance TechniquesFollowing are the Loop Avoidance Techniques - Count to infinity – This mechanism sets a maximum hop count value to a specified count (e.g. for RIP, it is 15). When the hop counts exceeded, that causes an endlessly circulating datagram to be dropped and sets the destination as unreachable.

Split-Horizon – This mechanism Prevents a routing update from being sent out the interface it was received on. With this mechanism in place, when a change occurs in the network, routers only advertise that change in one direction, i.e. they send the update out to all other ports except the one from which it was learned.

Route-Poisoning – This mechanism prevents inconsistencies from spreading. When a router learns that a route has become unavailable, it overrides split-horizon by advertising the failed route with an infinity hop count (destination unreachable) out all the interfaces including the one it was received on. This allows a router to advertise out the same interface it learned information on, but poisons the route by using a value greater than the maximum hop count. Routers receiving this advertisement assume the destination network is unreachable.

Hold-Down Timers –This mechanism is used in combination with route poisoning. It prevents routers from accepting any new updates for routes in a hold-down state, until the hold-down timer expires. Hold-down timers start as soon as a router receives an update from a neighbor indicating that an attached network has gone down. Until the timer elapses, the router ignores updates regarding this route from other routers unless it receives an update from the neighboring router that initially informed the network of the downed link. The timer stops if it receives a message from the neighboring router. At that point, the network is marked as reachable again and the route table is updated.

Thank You