1 ICS 156: Lecture 2 (part 2) Data link layer protocols Address resolution protocol Notes on lab 2.

1

ICS 156: Lecture 2 (part 2)

Data link layer protocols

Address resolution protocol

Notes on lab 2

2

TCP/IP Protocol Stack

ApplicationLayer

TransportLayer

NetworkLayer

(Data) LinkLayer

• The TCP/IP protocol stack runs on top of multiple data link layers.

• Two data link layer technologies

•Broadcast

•Point-to-Point

Logical LinkControl (LLC)

Media AccessControl (MAC)

Sublayer inLocal AreaNetworks

3

Data Link Layer

• The main tasks of the data link layer are:• Transfer data from the network layer of one machine to

the network layer of another machine• Convert the raw bit stream of the physical layer into

groups of bits (“frames”)

NetworkLayer

Data LinkLayer

PhysicalLayer

NetworkLayer

Data LinkLayer

PhysicalLayer

4

Two types of networks at the data link layer

– Broadcast Networks: All stations share a single communication channel

– Point-to-Point Networks: Pairs of hosts (or routers) are directly connected

• Typically, local area networks (LANs) are broadcast and wide area networks (WANs) are point-to-point

Broadcast Network Point-to-Point Network

5

Local Area Networks

• Local area networks (LANs) connect computers within a building or a enterprise network

• Almost all LANs are broadcast networks• Typical topologies of LANs are bus or ring or star• We will work with Ethernet LANs. Ethernet has a bus or star

topology.

•Bus LAN •Ring LAN

6

MAC and LLC

• In any broadcast network, the stations must ensure that only one station transmits at a time on the shared communication channel

• The protocol that determines who can transmit on a broadcast channel are called Medium Access Control (MAC) protocol

• The MAC protocol are implemented in the MAC sublayer which is the lower sublayer of the data link layer

• The higher portion of the data link layer is often called Logical Link Control (LLC)

Logical LinkControl

Medium AccessControlD

ata

Link

Laye

r

to Physical Layer

to Network Layer

7

IEEE 802 Standards

•IEEE 802 is a family of standards for LANs, which defines an LLC and several MAC sublayers

80

2.3

80

2.4

80

2.5

80

2.1

1

802.2

802.1

IEEE 802 standard

MediumAccessControl

PhysicalLayer

Logical LinkControl

IEEEReference

Model

PhysicalLayer

Data LinkLayer

HigherLayer

Higher layer issues

LLC

CS

MA

/CS

Token

bus

Token

ring

Wireless

lan

8

Ethernet

• Speed: 10Mbps -10 Gbps• Standard: 802.3, Ethernet II (DIX)

• Most popular physical layers for Ethernet:

• 10Base5 Thick Ethernet: 10 Mbps coax cable• 10Base2 Thin Ethernet: 10 Mbps coax cable• 10Base-T 10 Mbps Twisted Pair • 100Base-TX 100 Mbps over Category 5 twisted pair• 100Base-FX 100 Mbps over Fiber Optics• 1000Base-FX 1Gbps over Fiber Optics• 10000Base-FX 1Gbps over Fiber Optics (for wide area

links)

9

Bus Topology

Ethernet

• 10Base5 and 10Base2 Ethernets has a bus topology

10

• Starting with 10Base-T, stations are connected to a hub in a star configuration

Star Topology

Hub

11

Ethernet Hubs vs. Ethernet Switches

• An Ethernet switch is a packet switch for Ethernet frames • Buffering of frames prevents collisions. • Each port is isolated and builds its own collision domain

• An Ethernet Hub does not perform buffering:• Collisions occur if two frames arrive at the same time.

HighS

peedB

ackplane

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

OutputBuffers

InputBuffers

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

CSMA/CD

Hub Switch

12

Ethernet and IEEE 802.3: Any Difference?

• There are two types of Ethernet frames in use, with subtle differences:

• “Ethernet” (Ethernet II, DIX (Digital-Intel-Xerox)• An industry standards from 1982 that is based on the first

implementation of CSMA/CD by Xerox.• Predominant version of CSMA/CD in the US.

• 802.3:• IEEE’s version of CSMA/CD from 1985.• Interoperates with 802.2 (LLC) as higher layer.

• Difference for our purposes: Ethernet and 802.3 use different methods to encapsulate an IP datagram.

13

Ethernet II, DIX Encapsulation (RFC 894)

802.3 MAC

destinationaddress

6

sourceaddress

6

type

2

data

46-1500

CRC

4

0800

2

IP datagram

38-1492

0806

2

ARP request/reply

28

PAD

10

0835

2

RARP request/reply

28

PAD

10

14

IEEE 802.2/802.3 Encapsulation (RFC 1042)

802.3 MAC

destinationaddress

6

sourceaddress

6

length

2

DSAPAA

1

SSAPAA

1

cntl03

1

org code0

3

type

2

data

38-1492

CRC

4

802.2 LLC 802.2 SNAP

- destination address, source address:MAC addresses are 48 bit

- lengt h : frame length in number of bytes- DSAP, SSAP : always set to 0xaa- Ctrl: set t o 3- org code: set to 0- type field identifies the content of the

data field- CRC: cylic redundancy check

0800

2

IP datagram

38-1492

0806

2

ARP request/reply

28

PAD

10

0835

2

RARP request/reply

28

PAD

10

15

Dial-Up Access

AccessRouter

Modems

Point-to-Point (serial) links

• Many data link connections are point-to-point serial links:– Dial-in or DSL access connects hosts to

access routers– Routers are connected by

high-speed point-to-point links

• Here, IP hosts and routers are connected by a serial cable

• Data link layer protocols for point-to-point links are simple:– Main role is encapsulation of IP

datagrams– No media access control needed

Point-to-Point Links

Router

Router

Router Router

16

Data Link Protocols for Point-to-Point links

• SLIP (Serial Line IP) • First protocol for sending IP datagrams over dial-up links (from

1988)• Encapsulation, not much else

• PPP (Point-to-Point Protocol):• Successor to SLIP (1992), with added functionality• Used for dial-in and for high-speed routers

• HDLC (High-level Data Link Control) :• Widely used and influential standard (1979)• Default protocol for serial links on Cisco routers• Actually, PPP is based on a variant of HDLC

17

PPP - IP encapsulation

• The frame format of PPP is similar to HDLC and the 802.2 LLC frame format:

• PPP assumes a duplex circuit• Note: PPP does not use addresses• Usual maximum frame size is 1500

7E

flag

1

FF

addr

1

03

ctrl

1 2

protocol

<= 1500

data

2

CRC

7E

flag

1

0021 IP datagram

C021 link control data

8021 network control data

18

Additional PPP functionality

• In addition to encapsulation, PPP supports:– multiple network layer protocols (protocol multiplexing)– Link configuration– Link quality testing– Error detection– Option negotiation– Address notification – Authentication

• The above functions are supported by helper protocols: – LCP – PAP, CHAP– NCP

19

PPP Support protocols

• Link management: The link control protocol (LCP) is responsible for establishing, configuring, and negotiating a data-link connection. LCP also monitors the link quality and is used to terminate the link.

• Authentication: Authentication is optional. PPP supports two authentication protocols: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

• Network protocol configuration: PPP has network control protocols (NCPs) for numerous network layer protocols. The IP control protocol (IPCP) negotiates IP address assignments and other parameters when IP is used as network layer.

20

Address Resolution Protocol(ARP)

21

NetworkLayer

Link Layer

IP

ARP NetworkAccess RARP

Media

ICMP IGMP

TransportLayer

TCP UDP

Overview

22

ARP and RARP

• Note: – The Internet is based on IP addresses – Data link protocols (Ethernet, FDDI, ATM) may have

different (MAC) addresses• The ARP and RARP protocols perform the translation

between IP addresses and MAC layer addresses• We will discuss ARP for broadcast LANs, particularly Ethernet

LANs

RARP

Ethernet MACaddress(48 bit)

ARPIP address(32 bit)

23

Processing of IP packets by network device drivers

loopbackDriver

IP Input

Put on IPinput queue

ARPdemultiplex

Ethernet Frame

Ethernet

IP destination of packet= local IP address ?

IP destination = multicastor broadcast ?

IP Output

Put on IPinput queue

No: get MACaddress withARP

ARPPacket

IP datagram

No

Yes

YesEthernet

Driver

24

Address Translation with ARP

ARP Request: Argon broadcasts an ARP request to all stations on the network: “What is the hardware address of 128.143.137.1?”

Argon128.143.137.144

00:a0:24:71:e4:44

Router137128.143.137.1

00:e0:f9:23:a8:20

ARP Request:What is the MAC addressof 128.143.71.1?

25

Address Translation with ARP

ARP Reply: Router 137 responds with an ARP Reply which contains the hardware address

Argon128.143.137.144

00:a0:24:71:e4:44

Router137128.143.137.1

00:e0:f9:23:a8:20

ARP Reply:The MAC address of 128.143.71.1is 00:e0:f9:23:a8:20

26

ARP Packet Format

Destinationaddress

6

ARP Request or ARP Reply

28

Sourceaddress

6 2

CRC

4

Type0x8060

Padding

10

Ethernet II header

Hardware type (2 bytes)

Hardware addresslength (1 byte)

Protocol addresslength (1 byte)

Operation code (2 bytes)

Target hardware address*

Protocol type (2 bytes)

Source hardware address*

Source protocol address*

Target protocol address*

* Note: The length of the address fields is determined by the corresponding address length fields

27

Example

• ARP Request from Argon:

Source hardware address: 00:a0:24:71:e4:44Source protocol address: 128.143.137.144Target hardware address: 00:00:00:00:00:00Target protocol address: 128.143.137.1

• ARP Reply from Router137:

Source hardware address: 00:e0:f9:23:a8:20 Source protocol address: 128.143.137.1 Target hardware address: 00:a0:24:71:e4:44Target protocol address: 128.143.137.144

28

ARP Cache

• Since sending an ARP request/reply for each IP datagram is inefficient, hosts maintain a cache (ARP Cache) of current entries. The entries expire after a time interval.

• Contents of the ARP Cache:(128.143.71.37) at 00:10:4B:C5:D1:15 [ether] on eth0

(128.143.71.36) at 00:B0:D0:E1:17:D5 [ether] on eth0

(128.143.71.35) at 00:B0:D0:DE:70:E6 [ether] on eth0

(128.143.136.90) at 00:05:3C:06:27:35 [ether] on eth1

(128.143.71.34) at 00:B0:D0:E1:17:DB [ether] on eth0

(128.143.71.33) at 00:B0:D0:E1:17:DF [ether] on eth0

29

Proxy ARP

• Proxy ARP: Host or router responds to ARP Request that arrives from one of its connected networks for a host that is on another of its connected networks.

128.143.137.1/1600:e0:f9:23:a8:20

128.143.71.1/24

128.143.0.0/16Subnet

128.143.71.0/24Subnet

Router137

ARP Request:What is the MAC addressof 128.143.71.21?

128.143.137.144/16128.143.171.21/2400:20:af:03:98:28

Argon Neon

ARP Reply:The MAC address of128.143.71.21 is00:e0:f9:23:a8:20

30

Things to know about ARP

• What happens if an ARP Request is made for a non-existing host? Several ARP requests are made with increasing time

intervals between requests. Eventually, ARP gives up.

• On some systems (including Linux) a host periodically sends ARP Requests for all addresses listed in the ARP cache. This refreshes the ARP cache content, but also introduces traffic.

• Gratuitous ARP Requests: A host sends an ARP request for its own IP address:– Useful for detecting if an IP address has already been

assigned.

31

Vulnerabilities of ARP

1. Since ARP does not authenticate requests or replies, ARP Requests and Replies can be forged

2. ARP is stateless: ARP Replies can be sent without a corresponding ARP Request

3. According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its local ARP cache with the information in the source fields, if the receiving node already has an entry for the IP address of the source in its ARP cache. (This applies for ARP Request packets and for ARP Reply packets)

Typical exploitation of these vulnerabilities:• A forged ARP Request or Reply can be used to update the ARP cache of

a remote system with a forged entry (ARP Poisoning)• This can be used to redirect IP traffic to other hosts

32

Notes on Lab 2

33

What is a single-segment network?

• A single-segment network consists of interfaces connected by a single physical link, either a point-to-point link or a broadcast link.

• Interfaces on the same single-segment network have the same network prefix.

128.195.1.100

128.195.1.200

128.195.1.300

128.195.1.1

128.195.2.100

128.195.2.200

128.195.3.100 128.195.3.200

128.195.2.1

128.195.3.1

128.195.1.0/24128.195.2.0/24

128.195.3.0/24

34

How to identify a single segment IP network

• Detach interfaces from routers or hosts• Each isolated island is a single segment IP network• Each interface on the same single segment IP network must have

the same network address prefix

128.195.1.100

128.195.1.200

128.195.1.300

128.195.1.1 128.195.2.1

128.195.3.1

128.195.2.100

128.195.2.200

128.195.3.100 128.195.3.200

35

Protocol specification vs implementation

• According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its local ARP cache with the information in the source fields, if the receiving node already has an entry for the IP address of the source in its ARP cache. (This applies for ARP Request packets and for ARP Reply packets)

• Implementation may differ from the specification

• What you observe in the lab may not be universally true.