Basic networking 07-2012

  • 4,921 views
Uploaded on

OSI 7 layer model. …

OSI 7 layer model.
Basic networking.
Everything you need to know - very high level. With an emphasis on TCP/IP

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,921
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
70
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • network adapters, host bus adapters, and more.
  • http://www.cisco.com/assets/sol/sp/ipv6_discovery/

Transcript

  • 1. Basic Networking Samuel Dratwa Samuel.dratwa@gmail.com
  • 2. What are we selling ? customer satisfaction !It’s all about customer satisfaction
  • 3. Agenda Introduction  What is a network OSI 7 layer model The physical layer and the date link layer The network layer – IP The transport layer The application (and session and presentation layer) End to end – full stuck Advanced issues  Security  MPLS  Signaling
  • 4. Networking Communication between two or more devices. Parts required for Networking:  Host  Computer, networked printer, etc.  Sends/receives data for network to card  Card  Every card on a network has to have a unique address  Card breaks outgoing data into packets and addresses them  Card receives packets addressed to it and re-assembles packets to data  Wire  Transmits packets across network  For this discussion includes all wires, radios and devices between network cards (including hubs, switches, access points, etc.)
  • 5. 5 Basic ComponentsEvery communication system has 5 basic requirements•Data Source (where the data originates)•Transmitter (device used to transmit data)•Transmission Medium (cables or non cable)•Receiver (device used to receive data)•Destination (where the data will be placed)
  • 6. NETWORKS: categorized by size•LAN – a network that connects computers in a limitedgeographical area.•MAN – a backbone that connects LANs in ametropolitan area such as a city and handles the bulkof communications activity across that region.•WAN – covers a large geographical area such as acity or country. Communication channels includetelephone lines, Microwave, satellites, etc.•PAN
  • 7. What is a standard ? A standard specification is an explicit set of requirements for an item, material, component, system or service. It is often used to formalize the technical aspects of a procurement agreement or contract. A technical standard is an established norm or requirement about technical systems. It is usually a formal document that establishes uniform engineering or technical criteria, methods, processes and practices. In contrast, a custom, convention, company product, corporate standard, etc. which becomes generally accepted and dominant is often called a de facto standard.
  • 8. Why do we need standards ? Interoperability
  • 9. Standards bodies IMT-Advanced 802.X – LAN/WLAN
  • 10. OSI 7 Layer Model Application OSI - Open Systems Interconnection (Basic Presentation Reference Model) Each level is an independent Session set of protocols Each level can be change Transport seamlessly Network Data Link Physical
  • 11. 5 Layer model Application Presentation Application Session Transport Transport Network Network Data Link Data Link Physical Physical
  • 12. OSI Layers OSI Model Data unit Layer Function 7. Application Network process to application Data representation, encryption andData 6. Presentation decryption 5. Session Interhost communication End-to-end connections and reliability,Segments 4. Transport Flow control Path determination and logicalPacket 3. Network addressingFrame 2. Data Link Physical addressingBit 1. Physical Media, signal and binary transmissionGoing from layer 7 to 1: All People Seem To Need Data Processing 12
  • 13. The flow Web server Samuel Browser Web Siteread(s1, dataBlock) send(s2, dataBlock) Transport (TCP) Transport (TCP) Router1 2 3 4 5 1 2 3 4 5 Network (IP) Network (IP) Network (IP) 1 2 3 4 5 1 2 3 1 2 3 4 5 Link (WLAN) Link Link (WLAN) 1 2 3 4 5 1 2 3 1 2 3 4 5 Physical Physical Physical
  • 14. 5 Layer model (TCP/IP) Application – Represent the end user and the application he Application use (mail, browse, FTP, etc.) Transport - end-to-end message transfer, along with error control, fragmentation and flow control. Network (AKA Internet) – Transport - TCP responsible on getting packets of data from source to Network - IP destination. Link - processes of Link transmitting receiving packets on a given link layer
  • 15. Layer1:Physical Layer
  • 16. Layer1: Physical Layer  The Physical Layer defines the electrical and physical specifications for devices. In particular, it defines the relationship between a device and a physical medium.  This includes the layout of pin, voltages, cable specification, hubs, repeaters, network adapters, host bus adapters, and more.
  • 17. Wire types Co-Ax  Composed of:  Core, insulation, shielding, insulation  10 Mb only  10Base5 ―Thicknet‖  500 meters  10Base2 ―Thinnet‖  200 meters Twisted Pair  10/100/1000 Mb  100 meters between devices  CAT3, CAT5, CAT5e, CAT6, CAT6e
  • 18. Wire Types (cont.) Fiber  10/100/1000/10,000 Mb  Multi-mode – Long Haul (20 km)  Single-mode – ―Short Haul‖ (3 Km) what we use  Carries light, not electricity Wireless  Speeds 11/7 Mb, 54/27Mb  Because of encryption and connection upkeep, available bandwidth is about ½ of stated speed  Common ―mediums‖  InfraRed (IR)  Microwave, (long distances)  Radio  Licensed/private  Un-licensed (802.11b/g/a)
  • 19. Twisted Pair Cables • Unshielded Twisted Pair Cable (UTP) • most popular • maximum length 100 m • more susceptible to noise • EIA/TIA 568 Commercial Building Wire Standard Category 1 Voice transmission of traditional telephone Category 2 For data up to 4 Mbps, 4 pairs full-duplex Category 3 For data up to 10 Mbps, 4 pairs full-duplex Category 4 For data up to 16 Mbps, 4 pairs full-duplex Category 5 For data up to 100 Mbps, 4 pairs full-duplex Category 6 For data up to 1000 Mbps, 4 pairs full-duplex 19
  • 20. Shielded Twisted Pair Cable (STP)• Shielding to reduce crosstalk• Crosstalk: signal from one line getting mixed with signals from another line• Connector • RJ-45 computer connector (8 wires) Pin T568A T568B 1 Rx+ Tx+ 2 Rx- Tx- 3 Tx+ Rx+ 4 Unused Unused 5 Unused Unused 6 Tx- Rx- 7 Unused Unused 8 Unused Unused 20
  • 21. Straight and Cross connections Case 1 T568A T568B Cross-over cable Case 2 Case 3 Wall Cross-over cable T568B plate T568B Hub Straight through cable Straight through cable 21
  • 22. Examples
  • 23. Layer 2:Data Link Layer
  • 24. Layer 2: Data Link Layer The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. The data link layer is divided into two sub-layers by IEEE. 24
  • 25. Layer 2: MAC & LLC Layer 2 sub-layers :  Media Access Control (MAC)  Logical Link Control (LLC). MAC is lower sub-layer, and it defines the way about the media access transfer, such as CSMA/CD/CA(Carrier Sense Multiple Access/Collision Detection/Collision Avoidance) LLC provides data transmission method in different network. It will re-package date and add a new header. 25
  • 26. The Channel Access Problem  Multiple nodes share a channel A B C  Pairwise communication desired  Simultaneous communication not possible  MAC Protocols  Suggests a scheme to schedule communication  Maximize number of communications  Ensure fairness among all transmitters 26
  • 27. The Trivial Solution A B C collision Transmit and pray  Plenty of collisions --> poor throughput at high load 27
  • 28. The Simple Fix Don’t transmit A B C Can collisions still occur?  Transmit and pray  Plenty of collisions --> poor throughput at high load  Listen before you talk  Carrier sense multiple access (CSMA)  Defer transmission when signal on channel 28
  • 29. CSMA collisions spatial layout of nodesCollisions can still occur:Propagation delay non-zerobetween transmittersWhen collision:Entire packet transmissiontime wastednote:Role of distance & propagationdelay in determining collisionprobability 29
  • 30. CSMA/CD (Collision Detection) Keep listening to channel  While transmitting If (Transmitted_Signal != Sensed_Signal)  Sender knows it’s a Collision  ABORT 30
  • 31. 2 Observations on CSMA/CD Transmitter can send/listen concurrently  If (Transmitted - Sensed = null)? Then success The signal is identical at Tx and Rx  Non-dispersive The TRANSMITTER can detect if and when collision occurs 31
  • 32. Unfortunately … Both observations do not hold for wireless Because … 32
  • 33. Wireless Medium Access Control C D A B Signal power Distance 33
  • 34. Wireless Media Disperse Energy A cannot send and listen in parallel C D A B Signal power Signal not same at different locations Distance 34
  • 35. IEEE 802.11 RTS = Request CTS = Clear To Send To Send M Y S RTS D CTS X K 35
  • 36. IEEE 802.11 silenced M Y S silenced Data D ACK X silenced K silenced 36
  • 37. Ethernet Frame FormatPreamble Des. Add Sour. Add Type Data FCS 8 Bytes 6 Bytes 6 Bytes 2 46 - 1500 Bytes 4 Bytes Bytes • Preamble: For synchronization • Des. Add: Destination address • Sour. Add: Source address • FCS: Frame Check Sequence 37
  • 38. Ethernet II (DIX) FramingA frame is the unit of transmission in a link layer protocol, and consists ofa link-layer header followed by a packet.MAC Addresses are 48-bit (6 byte) identifiers unique to each NIC.EtherType (2 byte/16-bit) describes which protocol is encapsulated in theframe data – IPv4, IPv6, IBoE, FCoE, etc.(http://standards.ieee.org/regauth/ethertype/eth.txt)
  • 39. There is a “small problem” IEEE 802.3 Frame FormatPreamble Des. Add Sour. Add Length Data FCS 7 1 2/6 2/6 2 46 - 1500 Bytes 4Bytes Byte Bytes Bytes Bytes Bytes
  • 40. MAC Header, Source/Destination addresses MAC Addresses are 48-bit (6 byte) identifiers unique to each Network Interface. • Individual/Group Address Bit • Universally/Locally administered address bit • Organizationally unique identifier (OUI, a 22-bit field assigned by the IEEE) (bits 3-24) • NIC-specific unique address (OUA, a 24-bit number assigned by the manufacturer)
  • 41. NETWORK TOPOLOGIES (shape)
  • 42. BridgeLarge networks can be separated into two or more smaller networksusing a bridge.This is done to increase speed and efficiency. This type of network iscalled a segmented LAN and has largely been superseded by the use ofswitches which can transfer data straight to a computer and thus avoidbottleneck jams which bridges were designed to fix. Bridge
  • 43. GatewayOften used to connect a LAN with a WAN.Gateways join two or more different networks together. Gateway
  • 44. Repeater Signal attenuation is corrected by repeaters that amplify signals in physical cabling. Repeaters are part of the network medium (Layer 1).  In theory, they are dumb devices functioning entirely without human intervention. However, some repeaters now offer higher-level services to assist with network management and troubleshooting. 44
  • 45. Layer 3:Network Layer (IP)
  • 46. Layer 3: Network Layer  The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source to a destination via one or more networks, while maintaining the quality of service requested by the Transport Layer. 46
  • 47. Layer 3: Network Layer  The Network Layer performs  network routing functions,  perform fragmentation and reassembly,  report delivery errors.  Routers operate at this layer—sending data throughout the extended network and making the Internet possible. 47
  • 48. IP V.4 Datagram
  • 49. IP v.4 header Version (4 bits) – 6 or 4 Hlen (4 bits) - Header length in 32 bit words, without options (usual case) = 20 Type of Service (TOS 8 bits): now being used for QoS Total length (16 bits) - length of datagram in bytes, includes header and data Time to live (TTL 8bits) - specifies how long datagram is allowed to remain in internet (how many hops) Protocol (8 bits) - specifies the format of the data area  Protocol numbers administered by central authority to guarantee agreement, e.g. TCP=6, UDP=17 …
  • 50. IP Address Unique addresses in the world An IP address is 32 bits, noted in dotted decimal notation: 192.78.32.2 Host and Prefix Part  An IP address has a prefix and a host part:  prefix:host  Prefix identifies a subnetwork  used for locating a subnetwork – routing  Prefix is usually identified in a host using a ―subnet mask‖
  • 51. Using a mask: address + mask the mask is the dotted decimal representation of the string made of : 1 in the prefix, 0 elsewhere bit wise address & mask gives the prefix example 1: 128.178.156.13 mask 255.255.255.0  here: prefix is 128.178.156.0 example 2: 129.132.119.77 mask 255.255.255.192  Q1: what is the prefix ?  Q2: how many host ids can be allocated ?
  • 52. Address + Mask (example 2)  129.132.119.77 mask 255.255.255.192 ▪ Q1: what is the prefix ? A: 129.132.119.64 129 132 119 77 1000 0001 1000 0100 0111 0111 0100 1101 255 255 255 192 64 addresses 1111 1111 1111 1111 1111 1111 1100 0000 26 6 129 132 119 64 1000 0001 1000 0100 0111 0111 0100 0000 Q2: how many host ids can be allocated ? ▪ A: 64 (minus the reserved addresses: 62)
  • 53. Private networks
  • 54. The maim problem Cisco movie
  • 55. Major Changes and Additions in IPv6 ● Larger Address Space: Addresses are 128 bits long instead of 32 bits. ● Hierarchical Assignment of Addresses: Allows for multiple levels of network and subnetwork hierarchies both at the ISP and organizational level. ● Better Support for Non-Unicast Addressing: Support for multicasting is improved, and new type of addressing: anycast addressing. ● Auto-configuration and Renumbering: auto-configuration of hosts and renumbering of the IP addresses in networks and subnetworks as needed. ● New Datagram Format: The main header of each IP datagram has been streamlined, and support added for easily extending the header for datagrams requiring more control information. ● Improved Support for Quality of Service and Security ● Updated Fragmentation and Reassembly Procedures: fragmentation and reassembly of has been changed, IPv6 improve efficiency of routing. ● Modernized Routing Support: The IPv6 protocol support modern routing systems, and to allow expansion as the Internet grows.
  • 56. IP V.6 vs. V.4 Datagram
  • 57. IP v.4 header Version (4 bits) – 6 or 4 Hlen (4 bits) - Header length in 32 bit words, without options (usual case) = 20 Type of Service (TOS 8 bits): now being used for QoS Total length (16 bits) - length of datagram in bytes, includes header and data Time to live (TTL 8bits) - specifies how long datagram is allowed to remain in internet (how many hops) Protocol (8 bits) - specifies the format of the data area  Protocol numbers administered by central authority to guarantee agreement, e.g. TCP=6, UDP=17 …
  • 58. IP v.6 header Version (4 bits) – 6 or 4 Traffic Class (8 bits) - traffic priority delivery value. Flow Label. 20 bits. Used for specifying special router handling from source to destination(s) for a sequence of packets. Payload Length (16 bits) - Specifies the length of the data Hop Limit (8 bits) - the same as TTL in the IPv4 Source address. 16 bytes. Destination address. 16 bytes.
  • 59. IPv6 address – 128 bit IPv6 address is made of two parts: prefix and suffix (I.e interface-ids) 64 bits 64 bits and hierarchical prefix suffix structure (that depends on format prefix, FP) prefix: FP – Format prefix FP TLA NLA SLA TLA - Top-Level Aggregators suffix: NLA - Next-Level Aggregators Interface ID SLA – Service level Agreements Link-local address (mandatory) is unique within a "link". 1111111010 54 0 64 bits bits suffix
  • 60. IPv6 Autoconfiguration and Renumbering  RFC 2462, IPv6 Stateless Address Autoconfiguration.  IPv6 includes stateless address autoconfiguration feature, which allows a host to determine its own IPv6 address from its Layer 2 address.  The concept: A device generates a temporary address until it can determine the characteristics of the network it is on. Then creates a permanent address it can use based on that information.  In the case of multi-homed devices: Autoconfiguration is performed for each interface separately Stateless address autoconfiguration Stateful address No central server needed to aid in address autoconfiguration configuration Central server allocates full addresses Node forms its own suffix, checks if it is unique to nodes on request Node obtains prefix(es) from the nearest DHCPv6 is the current protocol for router stateful address autoconfiguration
  • 61. IPv6 Extended Unique Identifier (EUI-64)  RFC 2464  IPv6 link-local addresses and statelessly autoconfigured addresses on Ethernet networks  used in Router Solicitation, Router Advertisement, Neighbor Solicitation, Neighbor Advertisement and Redirect messages 48-bit MAC address 64-bit IPv6 EUI
  • 62. IPv6 address Types Unicast (1:1) communicate specified one computer Anycast addresses :  nearest node of a set of nodes RFC 4291 currently specifies the following restrictions on anycast addresses: An anycast address must not be used as the source address of a packet. Any anycast address can only be assigned to a router  currently only used to address routers  Multicast (1:n) communicate group of computers No more broadcast in use
  • 63. Representation of IPv6 addresses  Colon hexadecimal notation - 805B:2D9D:DC28:0000:0000:FC57:D4C8:1FFF  Leading zeroes can be suppressed in the notation 805B:2D9D:DC28:0:0:FC57:D4C8:1FFF  Zero Compression in IPv6 Addresses 805B:2D9D:DC28::FC57:D4C8:1FFF  The double-colon can appear only once in any IP address.  IPv6 addresses can embed IPv4. The notation has the first 96 bits in colon hex notation, and the last 32 bits in dotted decimal. eg ::212.200.31.255  Prefix notation can be used as with classless IPv4 addressing with CIDR. Example: 805B:2D9D:DC28::FC57:D4C8:1FFF/48
  • 64. So why isn’t it here yet ? No clear move to IPv6  Lack of smooth migration plans  Investments in IPv4  Software availability - Available from Microsoft Windows XP sp2 Developments in IP v4  Use of NAT  CIDR  Planning of Hierarchies and use of Autonomous Areas  IPsec implemented in IPv4 Other Points  Router Upgrades to handle IPv6 – OSPFv3
  • 65. IPv6/IPv4 ServersDual Server The most important issue will be to create servers that handle both IPv4 and IPv6 The Server Operating System will contain protocol stacks for both IPv4 and IPv6 IPv6 IPv4 IPv6 server client client TCP TCP TCP IPv4 IPv6 IPv4 IPv6 Datalink Datalink Datalink
  • 66. Tunneling IPv6 over IPv4 Transport IPv6 Header Data Header IPv6 Dual-Stack Dual-Stack IPv6 Host Router Router Host IPv6 IPv4 IPv6 Network Network Tunnel: IPv6 in IPv4 packet Transport IPv4 Header IPv6 Header Data Header  IPv6 can operate within a closed or private network environment  Currently across a public networks, such as the Internet, have to cross an IPv4 domain  IPv6 packets can be encapsulated within IPv4  Encapsulated packets can then travel transparently across an IPv4 routing domain  Tunneling can be used by routers and hosts
  • 67. Network Address Translation (NAT)  Possible solution to address space exhaustion  Kludge (but useful)  Sits between your network and the Internet  Translates local network layer addresses to global IP addresses  Has a pool of global IP addresses (less than number of hosts on your network)  Uses special unallocated addresses (RFC 1597) locally  10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 69
  • 68. NAT Illustration Pool of global IP Destination addresses Source G P Global Private Internet Network Dg Data Sg NAT Dg Sp Data • Operation: Source (S) wants to talk to Destination (D): • Create Sg-Sp mapping • Replace Sp with Sg for outgoing packets • Replace Sg with Sp for incoming packets • How many hosts can have active transfers at one time? 70
  • 69. Problems with NAT What if we only have few (or just one) IP address?  Use Network Address & Port Translator (NAPT) NAPT translates:  Translates addrprivate + flow info to addrglobal + new flow info  Uses TCP/UDP port numbers  Potentially thousands of simultaneous connections with one global IP address 71
  • 70. Problems with NAT Hides the internal network structure  Some consider this an advantage Some protocols carry addresses  E.g., FTP carries addresses in text  What is the problem? Must update transport protocol headers (port number & checksum) Encryption No inbound connections 72
  • 71. IP V.4 Datagram
  • 72. Fragmentation IP packets can be up to 64KB Different link-layers have different MTUs (Max Transfer Unit. Ethernet=1500B) Split IP packet into multiple fragments  IP header on each fragment  Intermediate router may fragment as needed 74
  • 73. TCP/IP Fragmentation TCP IP
  • 74. Reassembly Where to do reassembly? End nodes  Avoids unnecessary work where large packets are fragmented multiple times Dangerous to do at intermediate nodes  How much buffer space required at routers?  What if routes in network change?  Multiple paths through network  All fragments only required to go through destination 76
  • 75. IP Fragmentation and Reassembly length ID fragflag offset =4000 =x =0 =0 One large datagram becomes several smaller datagrams length ID fragflag offset =1500 =x =1 =0 length ID fragflag offset =1500 =x =1 =1500 length ID fragflag offset =1000 =x =0 =3000 77
  • 76. Fragmentation is Harmful Uses resources poorly  Forwarding costs per packet  Best if we can send large chunks of data  Worst case: packet just bigger than MTU Poor end-to-end performance  Loss of a fragment Reassembly is hard  Buffering constraints 78
  • 77. Path MTU Discovery Hosts dynamically discover minimum MTU of path Algorithm:  Initialize MTU to MTU for first hop  Send datagrams with Don’t Fragment bit set  If ICMP ―pkt too big‖ msg, decrease MTU What happens if path changes?  Periodically (>5mins, or >1min after previous increase), increase MTU Some routers will return proper MTU MTU values cached in routing table 79
  • 78. Layer 4:Transport Layer
  • 79. Layer 4: Transport Layer The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/desegmentation, and error control. 81
  • 80. Layer 4: Transport Layer Feature Name TP0 TP1 TP2 TP3 TP4 Connection oriented network Yes Yes Yes Yes Yes Connectionless network No No No No Yes Concatenation and separation No Yes Yes Yes Yes Segmentation and reassembly Yes Yes Yes Yes Yes Error Recovery No Yes No Yes Yes Reinitiate connection (if an excessive number of PDUs are No Yes No Yes No unacknowledged) multiplexing and demultiplexing No No Yes Yes Yes over a single virtual circuit Explicit flow control No No Yes Yes Yes Retransmission on timeout No No No No Yes Reliable Transport Service No Yes No Yes Yes 82
  • 81. TCP - Transmission Control Protocol Connection oriented - Reliable stream transport  Conceptually, two ends communicate to agree on details  After agreeing application notified of connection  During transfer, ends communicate continuously to verify data received correctly  When done, ends tear down the connection Provides buffering and flow control Takes care of lost packets, out of order, duplicates, long delays Usually used for browsing, FTP, Mail, etc.
  • 82. UDP- User Datagram Protocol  Connectionless Datagram- Not Reliable transport  Minimal overhead, high performance  No setup/teardown, 1 datagram at a time  Application responsible for reliability  Includes datagram loss, duplication, delay, out-of-sequence, multiplexing, loss of connectivity  Usually used for Voice & Video streaming, broadcasting, etc.
  • 83. TCP vs. UDP data format0 4 8 16 24 31 Source port Destination port 0 8 16 24 31 Sequence number Source port Destination port Acknowledgement number UDP message len Checksum (opt.)Hlen Res Code Window Data v Checksum Urgent ptr … Options (if any) Padding Data if any …
  • 84. TCP data format Port - TCP port numbers to ID applications at both ends of connection Sequence number - ID position in sender’s byte stream Acknowledgement - identifies the number of the byte the sender of this segment expects to receive next Hlen - specifies the length of the segment header in 32 bit multiples. If there are no options, the Hlen = 5 (20 bytes) Code - used to determine segment purpose, e.g. SYN, ACK, FIN, URG
  • 85. TCP data format (cont.) Window - Advertises how much data this station is willing to accept. Can depend on buffer space remaining. Checksum -Verifies the integrity of the TCP header and data. It is mandatory. Urgent pointer - used with the URG flag to indicate where the urgent data starts in the data stream. Typically used with a file transfer abort during FTP or when pressing an interrupt key in telnet. Options -used for window scaling, SACK, timestamps, maximum segment size etc.
  • 86. Layer 5:Session Layer
  • 87. Layer 5: Session Layer The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes checkpointing, adjournment, termination, and restart procedures. 89
  • 88. Layer 6: Presentation Layer The Presentation Layer establishes a context between Application Layer entities, in which the higher-layer entities can use different syntax and semantics, as long as the presentation service understands both and the mapping between them. This layer provides independence from differences in data representation (e.g., encryption) by translating from application to network format, and vice versa. This layer formats and encrypts data to be sent across a network, providing freedom from compatibility problems. It is sometimes called the syntax layer. 90
  • 89. Layer 7: Application Layer The application layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. Application layer functions typically include:  identifying communication partners,  determining resource availability,  synchronizing communication. 91
  • 90. URL A standard scheme for compactly identifying any document on any Web server Components:  A protocol name: http, rtp, rtsp  ://  A server domain name or server IP address  A path to a resource ( an HTML file or a CGI script) System Name Path Name http://today@poly.edu:999/ee-dept/event.html Service Type: http, telnet, Port Number: File Name ftp, gopher, … specified if non-default port is used 92
  • 91. HyperText Transfer Protocol (HTTP)  Application layer protocol  Distributes information in the WWW  Based on the client/server architecture  HTTP client (web browser): sends a request to a server for a file  HTTP server (web server): well-known port number 80, responds with the requested file if it is available  A single TCP connection is used web browser web server request HTTP HTTP response TCP TCP IP IP Network Network 93
  • 92. HTTP Messages English-based and flexible, not code-based as lower layer protocols Components of an HTTP message:  A start-line  Optional headers, each has a header name and a value  A blank line (a ―rn‖ only)  The requested file or other data in an HTTP response. 94
  • 93. HTTP Request Message Request Line:  Request Type  URL  HTTP version Optional Headers  Header name  Value A blank line The Request Type defines methods in messages  GET, HEAD – retrieve a full document or some info about a document from the server  PUT, PATCH – provide a new/replacement document or a list of difference to implement in an existing document to the server  COPY, MOVE, DELETE – copy, move, or delete a document  …… 95
  • 94. HTTP Response Message Status Line:  HTTP version  Status Code  Status phrase Optional Headers  Header name  Value A blank line Data Body  The Status Code is similar to those in the FTP and the SMTP protocol with 3 digits  The Status Phrase explains the status code such as continue, switching, OK, accepted, no content, multiple choices, bad request, unauthorized, forbidden, not found, internal server error, service unavailable, … … 96
  • 95. HTTP TCP Connections The client first establishes a TCP connection to the server before an HTTP request The server may terminate the TCP connection after the HTTP response is sent For embedded objects in a HTML file  The client sends a request for each embedded object  In HTTP/1.0, the client establishes a TCP connection for each request, not efficient for a file with many embedded objects  In HTTP/1.1, persistent connections are supported  All embedded objects are sent through the TCP connection established for the first request  Both the client and server have to enable the persistent connection feature 97
  • 96. HTTP Requests & Responses open web browser web server opened HTTP HTTP request TCP TCP response IP close IP Network closed Network  HTTP has four stages: Open, Request, Response, Close  A TCP session for HTTP/1.0 does not stay open and wait for multiple requests/responses – not efficient when HTML file has many embedded objects like pictures  HTTP/1.1 supports persistent connections that allow all the embedded objects sent through the same TCP connection 98
  • 97. HTTP Proxies proxy web browser request request web server HTTP HTTP HTTP response TCP response TCP TCP IP IP IP Network Network Network Cache Proxy server acts as both a client and server  receiving client’s initial requests, translating requests, passing requests to other servers Proxies can be used with firewalls to block undesired traffic Cache feature of a Web proxy server reduces network traffic by saving recently viewed pages on the disk driver 99
  • 98. DHCP Dynamic Host Configuration Protocol (DHCP) is designed, to dynamically configure TCP/IP hosts in a centralized manner from DHCP server. DHCP server maintains a collection of configuration parameters, such as IP addresses, subnet mask, default gateway IP address, to make a configured host work in the network. A DHCP client queries the server for the configuration parameters. The DHCP server returns configuration parameters to the client. 100
  • 99. DHCP DHCP can provide persistent storage of network parameters for the clients  A client can be assigned with same set of parameters whenever it bootstraps, or is moved to another subnet  The DHCP server keeps a key-value entry for each client and uses the entries to match queries from the clients  The entry could be a combination of a subnet address and the MAC address (or domain name) of a client DHCP can also assign configuration parameters dynamically  The DHCP server maintains a pool of parameters and assigns an unused set of parameters to a querying client  A DHCP client leases an IP address for a period of time. When the lease expires, the client may renew the lease, or the IP address is put back to the pool for future assignments 101
  • 100. DHCP Operations When two DHCP servers are used 1) A client first broadcasts a DHCPDISCOVERY message on its local physical network during bootstrapping.  The message may be forwarded by relay agents to servers in other physical networks. 2) Each server may respond with a DHCPOFFER message with an available network address in the Your IP Address field. 102
  • 101. DHCP Operations When two DHCP servers are used 3) The client may receives more than one DHCPOFFER messages.  It chooses one server from all responding servers based on the configuration parameters offered.  The client then broadcasts a DHCPREQUEST message with the Server Identifier option to indicated the selected server. 103
  • 102. DHCP Operations When two DHCP servers are used 4) When the DHCPREQUEST message is received, only the chosen server responds with a DHCPACK message carrying a full set of configuration parameters to the client.  When the client receives, it checks the parameters and configures its TCP/IP modules using the parameters.  The message specifies the duration of the lease. When the lease expires, the client may ask the server to renew it. Otherwise, the address will be put back in the pool or assigned to other hosts. 104
  • 103. DHCP Operations When two DHCP servers are used 5) The client may send a DHCPRELEASE message to the server to relinquish the lease on the network address. 105
  • 104. DHCP Message Format 106
  • 105. DHCP Message Fields Opcode  1 means a boot request from client  2 means a boot reply from server Hardware Address Type  The values are defined in the ―Assigned Numbers‖ RFC  The value is 1 for an Ethernet MAC address HW address length  The length of the hardware address Hop count  Optionally used by relay agents  A relay agent is a host or router that forwards DHCP messages between DHCP clients and servers 107
  • 106. DHCP Message Fields Transaction ID  Randomly assigned to link requests and replies between a client and a server Number of seconds  Elapsed time in seconds since the client began an address acquisition or renewal process Flags  Broadcast flag, the leftmost bit. Used when a client cannot receive a unicast IP datagram before its interface is configured  Remaining 15 bits must be 0 (reserved for future use) 108
  • 107. DHCP Message Fields Client IP address  Use when the client is in BOUND, RENEW, and REBINDING state and can respond to ARP requests Your IP address  client’s IP address from DHCP server Server IP address  the IP address of the next server to use in bootstrap Relay agent IP address  used when booting via a relay agent 109
  • 108. DHCP Message Fields  Client Hw address  The hardware address of the client  For an Ethernet address, the first 6 bytes are filled and the remaining bytes are set to 0  Server hostname  Hostname of the DHCP server  Boot filename:  Use in a DHCPOFFER message to specify the fully qualified, null terminated path name of a file to bootstrap from  Options  optional vendor specific field 110
  • 109. DHCP Configuration An example of a DHCP server configuration file 111
  • 110. MPLS
  • 111. Motivation • IP o The first defined and used protocol o De facto the only protocol for global Internet working  … but there are disadvantages
  • 112. Motivation (cont.)• IP Routing disadvantages o Connectionless - e.g. no QoS o Large IP Header - At least 20 bytes o Routing in Network Layer - Slower than Switching o Usually designed to obtain shortest path - Do not take into account additional metrics
  • 113. Motivation (cont.) • ATM o connection oriented - Supports QoS o fast packet switching with fixed length packets (cells) o integration of different traffic types (voice, data, video) … but there are also disadvantages
  • 114. Motivation (cont.) • ATM disadvantages o Complex o Expensive o Not widely adopted
  • 115. Motivation (cont.)• Idea: Combine the forwarding algorithm used in ATM with IP.
  • 116. MPLS Basics• Multi Protocol Label Switching is arranged between Layer 2 and Layer 3
  • 117. MPLS Basics (cont.)• MPLS Characteristics o Mechanisms to manage traffic flows of various granularities (Flow Management) o Is independent of Layer-2 and Layer-3 protocols o Maps IP-addresses to fixed length labels o Supports ATM, Frame-Relay and Ethernet
  • 118. Label• Generic label format
  • 119. Label Edge Router - LER• Resides at the edge of an MPLS network and assigns and removes the labels from the packets.• Support multiple ports connected to dissimilar networks (such as frame relay, ATM, and Ethernet).
  • 120. Label Switching Router - LSR• Is a high speed router in the core on an MPLS network.• ATM switches can be used as LSRs without changing their hardware. Label switching is equivalent to VP/VC switching.
  • 121. Positions of LERs & LSRs
  • 122. Label Distribution Protocol - LDP • An application layer protocol for the distribution of label binding information to LSRs. o It is used to map FECs to labels, which, in turn, create LSPs. o LDP sessions are established between LDP peers in the MPLS network (not necessarily adjacent). o Sometimes employs OSPF or BGP.
  • 123. Traffic Engineering• In MPLS, traffic engineering is inherently provided using explicitly routed paths.• The LSPs are created independently, specifying different paths that are based on user-defined policies. However, this may require extensive operator intervention.• RSVP-TE and CR-LDP are two possible approaches to supply dynamic traffic engineering and QoS in MPLS.
  • 124. MPLS Operation• The following steps must be taken for a data packet to travel through an MPLS domain. o label creation and distribution o table creation at each router o label-switched path creation o label insertion/table lookup o packet forwarding
  • 125. MPLS Operation Example
  • 126. Tunneling in MPLS• Control the entire path of a packet without explicitly specifying the intermediate routers. o Creating tunnels through the intermediary routers that can span multiple segments.• MPLS based VPNs.
  • 127. MPLS Advantages• Improves packet-forwarding performance in the network• Supports QoS and CoS for service differentiation• Supports network scalability• Integrates IP and ATM in the network• Builds interoperable networks
  • 128. MPLS Disadvantages• An additional layer is added• The router has to understand MPLS
  • 129. Security - IPsec
  • 130. IP is not Secure! IP protocol was designed in the late 70s to early 80s  Part of DARPA Internet Project  Very small network  All hosts are known!  So are the users!  Therefore, security was not an issue 133
  • 131. Security Issues in IP  source spoofing  replay packets • DOS attacks • Replay attacks  no data integrity or • Spying confidentiality • and more… Fundamental Issue: Networks are not (and will never be) fully secure 134
  • 132. Goals of IPSec  to verify sources of IP packets  authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets  data Integrity/Data Encryption 135
  • 133. IPSec Architecture ESP AH Encapsulating Security Authentication Header Payload IPSec Security Policy IKE The Internet Key Exchange 136
  • 134. IPSec Architecture IPSec provides security in three situations:  Host-to-host, host-to-gateway and gateway-to-gateway IPSec operates in two modes:  Transport mode (for end-to-end)  Tunnel mode (for VPN) 137
  • 135. IPsec Architecture Transport Mode Router Router Tunnel Mode 138
  • 136. Various Packets Original IP header TCP header data Transport IP header IPSec header TCP header data mode Tunnel IP header IPSec header IP header TCP header data mode 139
  • 137. Authentication Header (AH)  Provides source authentication  Protects against source spoofing  Provides data integrity  Protects against replay attacks  Use monotonically increasing sequence numbers  Protects against denial of service attacks  NO protection for confidentiality!  Use cryptographically strong hash algorithms to protect data integrity (96-bit)  Use symmetric key cryptography  HMAC-SHA-96, HMAC-MD5-96 140
  • 138. AH Packet Details New IP header Next Payload Reserved header length Security Parameters Index (SPI) Authenticated Encapsulated Sequence Number TCP or IP packet Old IP header (only in Tunnel mode) TCP headerHash of everything else Data Authentication Data 141
  • 139. Encapsulating Security Payload (ESP) Provides all that AH offers, and in addition provides data confidentiality  Uses symmetric key encryption 142
  • 140. ESP Details  Same as AH:  Use 32-bit sequence number to counter replaying attacks  Use integrity check algorithms  Only in ESP:  Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 143
  • 141. ESP Packet Details IP header Next Payload Reserved header length Security Parameters Index (SPI) Sequence Number Authenticated Initialization vector TCP header Data Encrypted TCP packet Pad Pad length Next Authentication Data 144
  • 142. Question?1. Why have both AH and ESP?2. Both AH and ESP use symmetric key based algorithms  Why not public-key cryptography?  How are the keys being exchanged?  What algorithms should we use?  Similar to deciding on the ciphersuite in SSL 145
  • 143. Internet Key Exchange (IKE) Exchange and negotiate security policies Establish security sessions  Identified as Security Associations Key exchange Key management Can be used outside IPsec as well 146
  • 144. IPsec/IKE Acronyms Security Association (SA)  Collection of attribute associated with a connection  Is asymmetric!  One SA for inbound traffic, another SA for outbound traffic  Similar to ciphersuites in SSL Security Association Database (SADB)  A database of SAs 147
  • 145. IPsec/IKE Acronyms Security Parameter Index (SPI)  A unique index for each entry in the SADB  Identifies the SA associated with a packet Security Policy Database (SPD)  Store policies used to establish SAs 148
  • 146. How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 149
  • 147. SPD and SADB Example Transport Mode A’s SPD From To Protocol Port Policy A B C D A B Any Any AH[HMAC-MD5] Tunnel Mode From To Protocol SPI SA Record A’s SADB A B AH 12 HMAC-MD5 key From To Protocol Port Policy Tunnel Dest Asub Bsub Any Any ESP[3DES] D C’s SPD From To Protocol SPI SA Record C’s SADB Asub Bsub ESP 14 3DES key 150
  • 148. How It Works IKE operates in two phases  Phase 1: negotiate and establish an auxiliary end-to-end secure channel  Used by subsequent phase 2 negotiations  Only established once between two end points!  Phase 2: negotiate and establish custom secure channels  Occurs multiple times  Both phases use Diffie-Hellman key exchange to establish a shared key 151
  • 149. IKE Phase 1 Goal: to establish a secure channel between two end points  This channel provides basic security features:  Source authentication  Data integrity and data confidentiality  Protection against replay attacks 152
  • 150. IKE Phase 1 Rationale: each application has different security requirements But they all need to negotiate policies and exchange keys! So, provide the basic security features and allow application to establish custom sessions 153
  • 151. Examples All packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity check All packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required) 154
  • 152. Phase 1 Exchange Can operate in two modes:  Main mode  Six messages in three round trips  More options  Quick mode  Four messages in two round trips  Less options 155
  • 153. Phase 1 (Main Mode) Initiator Responder [Header, SA1] 156
  • 154. Phase 1 (Main Mode) Initiator Responder [Header, SA1] [Header, SA2] Establish vocabulary for further communication 157
  • 155. Phase 1 (Main Mode) Initiator Responder [Header, SA1] [Header, SA2][Header, KE, Ni, {Cert_Reg} ] 158
  • 156. Phase 1 (Main Mode) Initiator Responder Header, SA1 [Header, SA1][Header, KE, Ni { , Cert_Req} ] [Header, KE, Nr {, Cert_Req}] Establish secret key using Diffie-Hellman key exchange Use nonces to prevent replay attacks 159
  • 157. Phase 1 (Main Mode) Initiator Responder [Header, SA1] [Header, SA1][Header, KE, Ni {,Cert_Req} ] [Header, KE, Nr {,Cert_Req}] [Header, IDi, {CERT} sig] 160
  • 158. Phase 1 (Main Mode) Initiator Responder [Header, SA1] [Header, SA1][Header, KE, Ni {, Cert_req}] [Header, KE, Nr {, Cert_req}] [Header, IDi, {CERT} sig] [Header, IDr, {CERT} sig] Signed hash of IDi (without Cert_req , just send the hash) 161
  • 159. Phase 1 (Aggressive Mode) Initiator Responder [Header, SA1, KE, Ni, IDi] 162
  • 160. Phase 1 (Aggressive Mode) Initiator Responder [Header, SA1, KE, Ni, IDi] [Header, SA2, KE, Nr, IDr, [Cert]sig] [Header, [Cert]sig] First two messages combined into one (combine Hello and DH key exchange) 163
  • 161. IPSec (Phase 1) Four different way to authenticate (either mode)  Digital signature  Two forms of authentication with public key encryption  Pre-shared key NOTE: IKE does use public-key based cryptography for encryption 164
  • 162. IPSec (Phase 2) Goal: to establish custom secure channels between two end points  End points are identified by <IP, port>:  e.g. <www.mybank.com, 8000>  Or by packet:  e.g. All packets going to 128.124.100.0/24  Use the secure channel established in Phase 1 for communication 165
  • 163. IPSec (Phase 2) Only one mode: Quick Mode Multiple quick mode exchanges can be multiplexed Generate SAs for two end points Can use secure channel established in phase 1 166
  • 164. IP Payload Compression Used for compression Can be specified as part of the IPSec policy Will not cover! 167
  • 165. Outline Why IPsec? IPsec Architecture Internet Key Exchange (IKE) IPSec Policy Discussion 168
  • 166. IPsec Policy Phase 1 policies are defined in terms of protection suites Each protection suite  Must contain the following:  Encryption algorithm  Hash algorithm  Authentication method  Diffie-Hellman Group  May optionally contain the following:  Lifetime  … 169
  • 167. IPSec Policy Phase 2 policies are defined in terms of proposals Each proposal:  May contain one or more of the following  AH sub-proposals  ESP sub-proposals  IPComp sub-proposals  Along with necessary attributes such as  Key length, life time, etc 170
  • 168. IPSec Policy Example In English:  All traffic to 128.104.120.0/24 must be:  Use pre-hashed key authentication  DH group is MODP with 1024-bit modulus  Hash algorithm is HMAC-SHA (128 bit key)  Encryption using 3DES In IPSec:  [Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES] 171
  • 169. IPsec Policy Example In English:  All traffic to 128.104.120.0/24 must use one of the following:  AH with HMAC-SHA or,  ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm) In IPsec:  [AH: HMAC-SHA] or,  [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)] 172
  • 170. IP protocol suite HTML RT Data Signalling SMTP POP, Protocols IMAP FTP HTTP DNS RTP (e.g. ISUP) TCP UDP SCTP IP ICMP RIP OSPF BGP SLIP PPP ARP LAN-protocols, ATM, PSTN/ISDN, PLMN …
  • 171. SCTP is used for signalling transport Signalling Protocol (e.g. ISUP) SCCP Adapt. pr. Sigtran Protocol conversion in SCTP protocols MTP signalling gateway (SGW) IP Phys. Transport of SS7 type Transport of SS7 type application protocols application protocols (e.g. (e.g. ISUP) in SS7 ISUP) over IP network network using MTP (+ using Sigtran protocols SCCP)
  • 172. Example: downloading HTML page (1) User HTML page Send me terminal source HTML page (Client) (Server) HTTP Internet service HTTP TCP provider’s PoP TCP IP IP IP PPP PPP ATM ATM Modem connection and PPP link between user terminal and ISP’s Point of Presence (PoP) is established. User terminal is given IP address (dynamic allocation).
  • 173. Example: downloading HTML page (2) User DNS replies ... HTML page terminal UDP source (Client) IP (Server) Contact DNS ... HTTP UDP UDP TCP IP IP IP PPP PPP ATM ATM DNS performs translation between URL and IP address of server (only the latter is used for routing IP packets to the server).
  • 174. Example: downloading HTML page (3) User HTML page terminal source (Client) (Server) HTTP Three-way handshaking HTTP TCP TCP IP IP IP PPP PPP ATM ATM TCP connection is set up. Note that IP packets can be routed over different bearer networks (like ATM as above) and do not necessarily follow the same path.
  • 175. Example: downloading HTML page (4) User HTML page terminal source (Client) (Server) Request HTTP Reply HTTP TCP TCP IP IP IP PPP PPP ATM ATM HTTP request (get HTML page) is sent to server. HTTP reply (including HTML page) is returned in a “200 ok” message.
  • 176. Example: downloading HTML page (5) User HTML page terminal source (Client) (Server) HTTP Two-way handshaking HTTP TCP TCP IP IP IP PPP PPP ATM ATM If the client has no more requests, the TCP connection is cleared.
  • 177. Example: downloading HTML page (6) User HTML page terminal source (Client) (Server) HTTP HTTP TCP TCP IP IP IP PPP PPP ATM ATM When requested by the client, the PPP and modem connections are cleared. (Bearer connections within the Internet backbone are naturally not cleared.)