Announcement Take-home final Final can be picked up in my office (Room 356) starting Monday, 3/14, 10am-11:59am Final should be returned by Thursday 3/17, 11:59am Closed Book One 8.5” by 11” sheet of paper permitted (single side) Cover network layer, data link layer and network security
Announcement r Take-home final r Final can be picked up in my office (Room 356) starting Monday, 3/14, 10am-11:59am r Final should be returned by Thursday.
Dec 19, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AnnouncementTake-home finalFinal can be picked up in my office
(Room 356) starting Monday 314 10am-1159am
Final should be returned by Thursday 317 1159am
Closed BookOne 85rdquo by 11rdquo sheet of paper
permitted (single side)Cover network layer data link layer
and network security
Last class CDMA and IEEE 80211 wireless LANs Network security
Today Network security (cont) Review for final
What is network security
Confidentiality only sender intended receiver should ldquounderstandrdquo message contents sender encrypts message receiver decrypts message
Authentication sender receiver want to confirm identity of each other
Message Integrity sender receiver want to ensure message content not altered (in transit or afterwards) without detection
Access and Availability services must be accessible and available to users
The language of cryptography
symmetric key crypto sender receiver keys identicalpublic-key crypto encryption key public decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alicersquos encryptionkey
Bobrsquos decryptionkey
KB
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Last class CDMA and IEEE 80211 wireless LANs Network security
Today Network security (cont) Review for final
What is network security
Confidentiality only sender intended receiver should ldquounderstandrdquo message contents sender encrypts message receiver decrypts message
Authentication sender receiver want to confirm identity of each other
Message Integrity sender receiver want to ensure message content not altered (in transit or afterwards) without detection
Access and Availability services must be accessible and available to users
The language of cryptography
symmetric key crypto sender receiver keys identicalpublic-key crypto encryption key public decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alicersquos encryptionkey
Bobrsquos decryptionkey
KB
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
What is network security
Confidentiality only sender intended receiver should ldquounderstandrdquo message contents sender encrypts message receiver decrypts message
Authentication sender receiver want to confirm identity of each other
Message Integrity sender receiver want to ensure message content not altered (in transit or afterwards) without detection
Access and Availability services must be accessible and available to users
The language of cryptography
symmetric key crypto sender receiver keys identicalpublic-key crypto encryption key public decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alicersquos encryptionkey
Bobrsquos decryptionkey
KB
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
The language of cryptography
symmetric key crypto sender receiver keys identicalpublic-key crypto encryption key public decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alicersquos encryptionkey
Bobrsquos decryptionkey
KB
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Review (2) Routing in the Internet
bull Hierarchical routingbull RIPbull OSPFbull BGP
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
recompute estimates
if DV to any dest has
changed notify neighbors
Each node
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
x y z
xyz
0 2 7
infin infin infininfin infin infin
from
cost to
from
from
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 3
from
cost to
x y z
xyz
infin infin
infin infin infin
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
0 2 3
from
cost to
x y z
xyz
0 2 3
from
cost tox y z
xyz
0 2 7
from
cost to
x y z
xyz
infin infin infin7 1 0
cost to
infin2 0 1
infin infin infin
2 0 17 1 0
2 0 17 1 0
2 0 13 1 0
2 0 13 1 0
2 0 1
3 1 0
2 0 1
3 1 0
time
x z12
7
y
node x table
node y table
node z table
Dx(y) = minc(xy) + Dy(y) c(xz) + Dz(y) = min2+0 7+1 = 2
Dx(z) = minc(xy) + Dy(z) c(xz) + Dz(z) = min2+1 7+0 = 3
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
The Internet Network layer
forwardingtable
Host router network layer functions
Routing protocolsbullpath selectionbullRIP OSPF BGP
IP protocolbulladdressing conventionsbulldatagram formatbullpacket handling conventions
ICMP protocolbullerror reportingbullrouter ldquosignalingrdquo
Transport layer TCP UDP
Link layer
physical layer
Networklayer
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
IP datagram format
ver length
32 bits
data (variable lengthtypically a TCP
or UDP segment)
16-bit identifier
Internet checksum
time tolive
32 bit source IP address
IP protocol versionnumber
header length (bytes)
max numberremaining hops
(decremented at each router)
forfragmentationreassembly
total datagramlength (bytes)
upper layer protocolto deliver payload to
headlen
type ofservice
ldquotyperdquo of data flgsfragment
offsetupper layer
32 bit destination IP address
Options (if any) Eg timestamprecord routetaken specifylist of routers to visit
how much overhead with TCP
20 bytes of TCP 20 bytes of IP = 40 bytes + app
layer overhead
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
IP Addressing introduction IP address 32-bit
identifier for host router interface
interface connection between hostrouter and physical link routerrsquos typically have
multiple interfaces host may have
multiple interfaces IP addresses
associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Subnets IP address
subnet part (high order bits)
host part (low order bits)
Whatrsquos a subnet device interfaces
with same subnet part of IP address
can physically reach each other without intervening router
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
network consisting of 3 subnets
LAN
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
IP addressing CIDRBefore CIDR only 8- 16- and 24- bit masks were
available (A B and C class networks)
CIDR Classless InterDomain Routing subnet portion of address of arbitrary length address format abcdx where x is bits in
subnet portion of address
11001000 00010111 00010000 00000000
subnetpart
hostpart
2002316023
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
NAT Network Address Translation
10001
10002
10003
10004
13876297
local network(eg home network)
100024
rest ofInternet
Datagrams with source or destination in this networkhave 100024 address for
source destination (as usual)
All datagrams leaving localnetwork have same single source
NAT IP address 13876297different source port numbers
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
NAT Network Address Translation
10001
10002
10003
S 10001 3345D 12811940186 80
1
10004
13876297
1 host 10001 sends datagram to 12811940 80
NAT translation tableWAN side addr LAN side addr
13876297 5001 10001 3345helliphellip helliphellip
S 12811940186 80 D 10001 3345
4
S 13876297 5001D 12811940186 80
2
2 NAT routerchanges datagramsource addr from10001 3345 to13876297 5001updates table
S 12811940186 80 D 13876297 5001
3
3 Reply arrives dest address 13876297 5001
4 NAT routerchanges datagramdest addr from13876297 5001 to 10001 3345
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Hierarchical Routing
scale with 200 million destinations
canrsquot store all destrsquos in routing tables
routing table exchange would swamp links
administrative autonomy
internet = network of networks
each network admin may want to control routing in its own network
Our routing study thus far - idealization all routers identical network ldquoflatrdquohellip not true in practice
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Hierarchical Routing
aggregate routers into regions ldquoautonomous systemsrdquo (AS)
routers in same AS run same routing protocol ldquointra-ASrdquo routing
protocol routers in different AS
can run different intra-AS routing protocol
Gateway router Direct link to router
in another AS
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
3b
1d
3a
1c2aAS3
AS1
AS21a
2c2b
1b
Intra-ASRouting algorithm
Inter-ASRouting algorithm
Forwardingtable
3c
Interconnected ASes
Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries
for internal dests Inter-AS amp Intra-As
sets entries for external dests
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Routing in the Internet Routing in the Internet
Intra-AS routing RIP and OSPF Inter-AS routing BGP
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RIP ( Routing Information Protocol)
Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric of hops (max = 15 hops)
of hops of subnets traversed along the shortest path from src router to dst subnet (eg src = A)
DC
BA
u v
w
x
yz
destination hops u 1 v 2 w 2 x 3 y 3 z 2
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
RIP advertisements
Distance vectors exchanged among neighbors every 30 sec via Response Message (also called advertisement)
Each advertisement list of up to 25 destination nets within AS
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
OSPF (Open Shortest Path First)
ldquoopenrdquo publicly available Uses Link State algorithm
LS packet dissemination Topology map at each node Route computation using Dijkstrarsquos algorithm Link costs configured by the network administrator
OSPF advertisement carries one entry per neighbor router
Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than
TCP or UDP
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
OSPF ldquoadvancedrdquo features (not in RIP)
Security all OSPF messages authenticated (to prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in RIP)
For each link multiple cost metrics for different TOS (eg satellite link cost set ldquolowrdquo for best effort high for real time)
Integrated uni- and multicast support Multicast OSPF (MOSPF) uses same topology
data base as OSPF Hierarchical OSPF in large domains
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Hierarchical OSPF
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Hierarchical OSPF
Two-level hierarchy local area backboneLink-state advertisements only in area each node has detailed area topology
Area border routers ldquosummarizerdquo distances to nets in own area advertise to other Area Border routers
Backbone routers run OSPF routing limited to backbone
Boundary routers connect to other ASrsquos
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internet inter-AS routing BGP
BGP (Border Gateway Protocol) the de facto standard
BGP provides each AS a means to1 Obtain subnet reachability information from
neighboring ASs2 Propagate the reachability information to all
routers internal to the AS3 Determine ldquogoodrdquo routes to subnets based
on reachability information and policy Allows a subnet to advertise its
existence to rest of the Internet ldquoI am hererdquo
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
BGP basics Pairs of routers (BGP peers) exchange routing info over
TCP conections BGP sessions Note that BGP sessions do not correspond to physical links When AS2 advertises a prefix to AS1 AS2 is promising it
will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement
3b
1d
3a
1c2aAS3
AS1
AS21a
2c
2b
1b
3c
eBGP session
iBGP session
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Path attributes amp BGP routes
When advertising a prefix advert includes BGP attributes prefix + attributes = ldquorouterdquo
Two important attributes AS-PATH contains the ASs through which the advert
for the prefix passed AS 67 AS 17 NEXT-HOP Indicates the specific internal-AS router
to next-hop AS (There may be multiple links from current AS to next-hop-AS)
When gateway router receives route advert uses import policy to acceptdecline
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Why different Intra- and Inter-AS routing
Policy Inter-AS admin wants control over how its traffic
routed who routes through its net Intra-AS single admin so no policy decisions
needed
Scale hierarchical routing saves table size reduced
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
routers maintain routing tables implement routing algorithms
switches maintain switch tables implement filtering learning algorithms
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Summary comparison
hubs switches routers
traffi c isolation
no yes yes
plug amp play yes yes no
optimal routing
no no yes
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
- Announcement
- Last class
- What is network security
- The language of cryptography
- Public Key Cryptography
- Public key cryptography
- Public key encryption algorithms
- RSA Choosing keys
- RSA Encryption decryption
- RSA example
- RSA Why is that
- RSA another important property
- Overview
- Authentication
- Slide 15
- Authentication another try
- Slide 17
- Slide 18
- Slide 19
- Authentication yet another try
- Slide 21
- Slide 22
- Authentication ap50
- ap50 security hole
- Slide 25
- Slide 26
- Firewalls
- Firewalls Why
- Packet Filtering
- Slide 30
- Application gateways
- Limitations of firewalls and gateways
- Slide 33
- Internet security threats
- Slide 35
- Slide 36
- Slide 37
- Slide 38
- Slide 39
- Slide 40
- Slide 41
- Review (1)
- Review (2)
- Review (3)
- Routing Algorithm classification
- Dijsktrarsquos Algorithm
- Dijkstrarsquos algorithm example
- Distance vector algorithm (1)
- Distance Vector Algorithm (2)
- Slide 50
- The Internet Network layer
- IP datagram format
- IP Addressing introduction
- Subnets
- IP addressing CIDR
- NAT Network Address Translation
- Slide 57
- Hierarchical Routing
- Slide 59
- Interconnected ASes
- Routing in the Internet
- RIP ( Routing Information Protocol)
- RIP advertisements
- OSPF (Open Shortest Path First)
- OSPF ldquoadvancedrdquo features (not in RIP)
- Hierarchical OSPF
- Slide 67
- Internet inter-AS routing BGP
- BGP basics
- Path attributes amp BGP routes
- Why different Intra- and Inter-AS routing
- Data Link Layer
- Link Layer Services
- MAC Protocols a taxonomy
- Channel Partitioning MAC protocols TDMA
- Slotted ALOHA
- Slotted Aloha efficiency
- CSMA (Carrier Sense Multiple Access)
- CSMA collisions
- CSMACD (Collision Detection)
- CSMACD collision detection
- ldquoTaking Turnsrdquo MAC protocols
- ARP Address Resolution Protocol
- ARP protocol Same LAN (network)
- Routing to another LAN
- Slide 86
- Ethernet uses CSMACD
- Ethernet CSMACD algorithm
- Ethernetrsquos CSMACD (more)
- CSMACD efficiency
- Hubs
- Interconnecting with hubs
- Switch
- Forwarding
- Self learning
- Switch traffic isolation
- Switches vs Routers
- Summary comparison
- Wireless network characteristics
- IEEE 80211 Wireless LAN
- 80211 LAN architecture
- IEEE 80211 MAC Protocol CSMACA
- Collision Avoidance RTS-CTS exchange
- 80211 frame addressing
- Slide 105
- Network Security
-
Related Documents
