Announcement Take-home final Final can be picked up in my office (Room 356) starting Monday, 3/14, 10am-11:59am Final should be returned by Thursday 3/17, 11:59am Closed Book One 8.5” by 11” sheet of paper permitted (single side) Cover network layer, data link layer and network security
106
Embed
Announcement r Take-home final r Final can be picked up in my office (Room 356) starting Monday, 3/14, 10am-11:59am r Final should be returned by Thursday.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AnnouncementTake-home finalFinal can be picked up in my office
(Room 356) starting Monday 314 10am-1159am
Final should be returned by Thursday 317 1159am
Closed BookOne 85rdquo by 11rdquo sheet of paper
permitted (single side)Cover network layer data link layer
and network security
Last class CDMA and IEEE 80211 wireless LANs Network security
Today Network security (cont) Review for final
What is network security
Confidentiality only sender intended receiver should ldquounderstandrdquo message contents sender encrypts message receiver decrypts message
Authentication sender receiver want to confirm identity of each other
Message Integrity sender receiver want to ensure message content not altered (in transit or afterwards) without detection
Access and Availability services must be accessible and available to users
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Public Key Cryptography
symmetric key crypto requires sender
receiver know shared secret key
Q how to agree on key in first place (particularly if never ldquometrdquo)
public key cryptography
radically different approach [Diffie-Hellman76 RSA78]
sender receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Public key cryptography
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobrsquos public key
plaintextmessageK (m)
B+
K B+
Bobrsquos privatekey
K B-
m = K (K (m))B+
B-
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Public key encryption algorithms
need K ( ) and K ( ) such thatB B
given public key K it should be impossible to compute private key K
B
B
Requirements
1
2
+ -
K (K (m)) = m BB
- +
+
-
K (m)B+
Also given and K ()B+
it should be impossible to determine m
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
RSA Choosing keys
1 Choose two large prime numbers p q (eg 1024 bits each)
2 Compute n = pq z = (p-1)(q-1)
3 Choose e (with eltn) that has no common factors with z (e z are ldquorelatively primerdquo)
4 Choose d such that ed-1 is exactly divisible by z (in other words ed mod z = 1 )
5 Public key is (ne) Private key is (nd)
K B+ K B
-
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
RSA Encryption decryption
0 Given (ne) and (nd) as computed above
1 To encrypt bit pattern m compute
c = m mod n
e (ie remainder when m is divided by n)e
2 To decrypt received bit pattern c compute
m = c mod n
d (ie remainder when c is divided by n)d
m = (m mod n)
e mod n
dMagichappens
c
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
RSA example
Bob chooses p=5 q=7 Then n=35 z=24e=5 (so e z relatively prime)d=29 (so ed-1 exactly divisible by z
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt
decrypt
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
RSA Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result If pq prime and n = pq then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
RSA another important property
The following property will be very useful later
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first followed
by private key
use private key first
followed by public key
Result is the same
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
Failure scenarioldquoI am Alicerdquo
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication
Goal Bob wants Alice to ldquoproverdquo her identity to him
Protocol ap10 Alice says ldquoI am Alicerdquo
in a networkBob can not ldquoseerdquo
Alice so Trudy simply declares
herself to be AliceldquoI am Alicerdquo
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Failure scenario
ldquoI am AlicerdquoAlicersquos
IP address
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication another try
Protocol ap20 Alice says ldquoI am Alicerdquo in an IP packetcontaining her source IP address
Trudy can createa packet
ldquospoofingrdquoAlicersquos addressldquoI am Alicerdquo
Alicersquos IP address
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication another try
Protocol ap30 Alice says ldquoI am Alicerdquo and sends her secret password to ldquoproverdquo it
playback attack Trudy records Alicersquos
packetand later
plays it back to Bob
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
Alicersquos password
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication yet another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
Failure scenario
ldquoIrsquom AlicerdquoAlicersquos IP addr
encrypted password
OKAlicersquos IP addr
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication another try
Protocol ap31 Alice says ldquoI am Alicerdquo and sends her encrypted secret password to ldquoproverdquo it
recordand
playbackstill works
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
OKAlicersquos IP addr
ldquoIrsquom AlicerdquoAlicersquos IP addr
encryptedpassword
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication yet another try
Goal avoid playback attack
Failures drawbacks
Nonce number (R) used only once ndashin-a-lifetime
ap40 to prove Alice ldquoliverdquo Bob sends Alice nonce R Alice
must return R encrypted with shared secret keyldquoI am Alicerdquo
R
K (R)A-B
Alice is live and only Alice knows key to encrypt
nonce so it must be Alice
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Authentication ap50
ap40 requires shared symmetric key can we authenticate using public key techniquesap50 use nonce public key cryptography
ldquoI am Alicerdquo
RBob computes
K (R)A-
ldquosend me your public keyrdquo
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key that encrypted R such that
(K (R)) = RA-
K A+
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alicersquos public key
AK (m)+
Am = K (K (m))+
A-
R
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
ap50 security holeMan (woman) in the middle attack Trudy poses
as Alice (to Bob) and as Bob (to Alice)
Difficult to detect Bob receives everything that Alice sends and vice versa (eg so Bob Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Firewalls
isolates organizationrsquos internal net from larger Internet allowing some packets to pass blocking others
firewall
administerednetwork
publicInternet
firewall
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Firewalls Why
prevent denial of service attacks SYN flooding attacker establishes many bogus
TCP connections no resources left for ldquorealrdquo connections
prevent illegal modificationaccess of internal data eg attacker replaces CIArsquos homepage with
something elseallow only authorized access to inside network (set of
authenticated usershosts)two types of firewalls
application-level packet-filtering
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet decision to forwarddrop packet based on source IP address destination IP address TCPUDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in Departing packet let out
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Packet Filtering
Example 1 block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 All incoming and outgoing UDP flows and
telnet connections are blocked
Example 2 Block inbound TCP SYN packets Prevents external clients from making TCP
connections with internal clients but allows internal clients to connect to outside
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Application gateways
Filters packets on application data as well as on IPTCPUDP fields
Example allow select internal users to telnet outside
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1 Require all telnet users to telnet through gateway2 For authorized users gateway sets up telnet
connection to dest host Gateway relays data between 2 connections
3 Router filter blocks all telnet connections not originating from gateway
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Limitations of firewalls and gateways
IP spoofing router canrsquot know if data ldquoreallyrdquo comes from claimed source
if multiple apprsquos need special treatment each has own app gateway
client software must know how to contact gateway eg must set IP address
of proxy in Web browser
filters often use all or nothing policy for UDP
tradeoff degree of communication with outside world level of security
many highly protected sites still suffer from attacks
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Overview
What is network securityPrinciples of cryptographyAuthenticationAccess control firewallsAttacks and counter measures
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threats
Mapping before attacking ldquocase the jointrdquo ndash find out
what services are implemented on network Use ping to determine what hosts have
addresses on network Port-scanning try to establish TCP
connection to each port in sequence
Countermeasures
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threats
Mapping countermeasures record traffic entering network look for suspicious activity (IP addresses
pots being scanned sequentially)
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsPacket sniffing
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (eg passwords) eg C sniffs Brsquos packets
A
B
C
srcB destA payload
Countermeasures
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsPacket sniffing countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode
one host per segment of broadcast media (switched Ethernet at hub)
A
B
C
srcB destA payload
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsIP Spoofing
can generate ldquorawrdquo IP packets directly from application putting any value into IP source address field
receiver canrsquot tell if source is spoofed eg C pretends to be B
A
B
C
srcB destA payload
Countermeasures
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsIP Spoofing ingress filtering
routers should not forward outgoing packets with invalid source addresses (eg datagram source address not in routerrsquos network)
great but ingress filtering can not be mandated for all networks
A
B
C
srcB destA payload
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsDenial of service (DOS)
flood of maliciously generated packets ldquoswamprdquo receiver Distributed DOS (DDOS) multiple coordinated sources swamp
receiver eg C and remote host SYN-attack A
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Countermeasures
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Internet security threatsDenial of service (DOS) countermeasures
filter out flooded packets (eg SYN) before reaching host throw out good with bad
traceback to source of floods (most likely an innocent compromised machine)
A
B
C
SYN
SYNSYNSYN
SYN
SYN
SYN
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Review (1) Network Layer
Virtual Circuits and Datagram Networks Routing Principles
bull Link State Algorithmbull Distance Vector Algorithm
The Internet (IP) Protocolbull IPv4 addressingbull Datagram formatbull IP fragmentationbull ICMP Internet Control Message Protocolbull IPv6bull NAT Network Address Translation
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Data link layer Introduction and services Error detection and correction Multiple access protocols
bull TDMAFDMAbull Random Access Protocolsbull ldquoTaking Turnsrdquo Protocols
Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks CDMA IEEE 80211 wireless LANs
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Review (3) What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Routing Algorithm classification
Global or decentralized information
Global all routers have complete
topology link cost info ldquolink staterdquo algorithmsDecentralized router knows physically-
connected neighbors link costs to neighbors
iterative process of computation exchange of info with neighbors
ldquodistance vectorrdquo algorithms
Static or dynamicStatic routes change slowly
over timeDynamic routes change more
quickly periodic update in response to link
cost changes
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Dijsktrarsquos Algorithm
1 Initialization 2 N = u 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(uv) 6 else D(v) = infin 7 8 Loop 9 find w not in N such that D(w) is a minimum 10 add w to N 11 update D(v) for all v adjacent to w and not in N 12 D(v) = min( D(v) D(w) + c(wv) ) 13 new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v 15 until all nodes in N
Dijkstrarsquos algorithm example
Step012345
Nu
uxuxy
uxyvuxyvw
uxyvwz
D(v)p(v)2u2u2u
D(w)p(w)5u4x3y3y
D(x)p(x)1u
D(y)p(y)infin
2x
D(z)p(z)infin infin
4y4y4y
u
yx
wv
z2
2
13
1
1
2
53
5
Distance vector algorithm (1)
Basic idea Each node periodically sends its own distance
vector estimate to neighbors When a node x receives new DV estimate from
neighbor it updates its own DV using B-F equation
Dx(y) larr minvc(xv) + Dv(y) for each node y ∊ N
Under minor natural conditions the estimate Dx(y) converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative asynchronous each local iteration caused by
local link cost change DV update message from
neighborDistributed each node notifies
neighbors only when its DV changes neighbors then notify
their neighbors if necessary
The algorithm doesnrsquot know the entire path ndash only knows the next hop
wait for (change in local link cost of msg from neighbor)
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
update trafficPerformance Intra-AS can focus on performance Inter-AS policy may dominate over performance
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Data Link LayerSome terminology hosts and routers are nodes communication channels
that connect adjacent nodes along communication path are links wired links wireless links LANs
layer-2 packet is a frame encapsulates datagram
ldquolinkrdquo
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Link Layer Services Framing link access
encapsulate datagram into frame adding header trailer
channel access if shared medium ldquoMACrdquo addresses used in frame headers to identify
source dest bull different from IP address
Reliable delivery between adjacent nodes we learned how to do this already (chapter 3) seldom used on low bit error link (fiber some twisted
pair) wireless links high error rates
bull Q why both link-level and end-end reliability
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
MAC Protocols a taxonomy
Three broad classes Channel Partitioning
divide channel into smaller ldquopiecesrdquo (time slots frequency code)
allocate piece to node for exclusive use
Random Access channel not divided allow collisions ldquorecoverrdquo from collisions
ldquoTaking turnsrdquo Nodes take turns but nodes with more to send can
take longer turns
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Channel Partitioning MAC protocols TDMA
TDMA time division multiple access access to channel in rounds each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example 6-station LAN 134 have pkt slots 256 idle
TDM (Time Division Multiplexing) channel divided into N time slots one per user inefficient with low duty cycle users and at light load
FDM (Frequency Division Multiplexing) frequency subdivided
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Slotted ALOHA
Pros single active node can
continuously transmit at full rate of channel
highly decentralized only slots in nodes need to be in sync
simple
Cons
collisions wasting slots
idle slots clock
synchronization
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Slotted Aloha efficiency
Suppose N nodes with many frames to send each transmits in slot with probability p
prob that node 1 has success in a slot = p(1-p)N-1
prob that there is a success = Np(1-p)N-1
For max efficiency with N nodes find p that maximizes Np(1-p)N-1
For many nodes take limit of Np(1-p)N-1
as N goes to infinity gives 1e = 37
Efficiency is the long-run fraction of successful slots when there are many nodes each with many frames to send
At best channelused for useful transmissions 37of time
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
CSMA (Carrier Sense Multiple Access)
CSMA listen before transmit If channel sensed idle transmit entire frame If channel sensed busy defer transmission
Human analogy donrsquot interrupt others
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
CSMA collisions
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmissioncollisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
CSMACD (Collision Detection)CSMACD carrier sensing deferral as in
CSMA collisions detected within short time colliding transmissions aborted reducing
channel wastage collision detection
easy in wired LANs measure signal strengths compare transmitted received signals
difficult in wireless LANs receiver shut off while transmitting
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
ldquoTaking Turnsrdquo MAC protocolsPolling master node
ldquoinvitesrdquo slave nodes to transmit in turn
concerns polling overhead latency single point of
failure (master)
Token passing control token passed
from one node to next sequentially
token message concerns
token overhead latency single point of failure
(token)
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
ARP Address Resolution Protocol
Each IP node (Host Router) on LAN has ARP table
ARP Table IPMAC address mappings for some LAN nodes
lt IP address MAC address TTLgt
TTL (Time To Live) time after which address mapping will be forgotten (typically 20 min)
Question how to determineMAC address of Bknowing Brsquos IP address
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
237196723
237196778
237196714
237196788
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
ARP protocol Same LAN (network) A wants to send datagram
to B and Brsquos MAC address not in Arsquos ARP table
A broadcasts ARP query packet containing Bs IP address Dest MAC address = FF-
FF-FF-FF-FF-FF all machines on LAN
receive ARP query B receives ARP packet
replies to A with its (Bs) MAC address frame sent to Arsquos MAC
address (unicast)
A caches (saves) IP-to-MAC address pair in its ARP table until information becomes old (times out) soft state information
that times out (goes away) unless refreshed
ARP is ldquoplug-and-playrdquo nodes create their ARP
tables without intervention from net administrator
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Routing to another LANwalkthrough send datagram from A to B via R assume A knows Brsquos IP address
Two ARP tables in router R one for each IP network (LAN)
In routing table at source Host find router 111111111110 In ARP table at source find MAC address E6-E9-00-17-BB-4B etc
A
RB
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
A creates datagram with source A destination B A uses ARP to get Rrsquos MAC address for 111111111110 A creates link-layer frame with Rs MAC address as dest
frame contains A-to-B IP datagram Arsquos adapter sends frame Rrsquos adapter receives frame R removes IP datagram from Ethernet frame sees its
destined to B R uses ARP to get Brsquos MAC address R creates frame containing A-to-B IP datagram sends to B
A
RB
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Ethernet uses CSMACD
No slots adapter doesnrsquot
transmit if it senses that some other adapter is transmitting that is carrier sense
transmitting adapter aborts when it senses that another adapter is transmitting that is collision detection
Before attempting a retransmission adapter waits a random time that is random access
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Ethernet CSMACD algorithm
1 Adaptor receives datagram from net layer amp creates frame
2 If adapter senses channel idle it starts to transmit frame If it senses channel busy waits until channel idle and then transmits
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting aborts and sends jam signal (48 bits)
5 After aborting adapter enters exponential backoff after the mth collision adapter chooses a K at random from 012hellip2m-1 Adapter waits K512 bit times and returns to Step 2
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
Ethernetrsquos CSMACD (more)
Jam Signal make sure all other transmitters are aware of collision 48 bits
Bit time 1 microsec for 10 Mbps Ethernet for K=1023 wait time is about 50 msec
Exponential Backoff Goal adapt retransmission
attempts to estimated current load heavy load random wait
will be longer first collision choose K
from 01 delay is K 512 bit transmission times
after second collision choose K from 0123hellip
after ten collisions choose K from 01234hellip1023
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
CSMACD efficiency Tprop = max prop between 2 nodes in LAN
ttrans = time to transmit max-size frame
Efficiency goes to 1 as tprop goes to 0
Goes to 1 as ttrans goes to infinity Much better than ALOHA but still decentralized simple and cheap
transprop tt 51
1efficiency
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices
Wireless network characteristicsMultiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem B A hear each other B C hear each other A C can not hear each
othermeans A C unaware of their
interference at B
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading B A hear each other B C hear each other A C can not hear each other
interferring at B
IEEE 80211 Wireless LAN
80211b 24-5 GHz unlicensed
radio spectrum up to 11 Mbps direct sequence
spread spectrum (DSSS) in physical layer
bull all hosts use same chipping code
widely deployed using base stations
80211a 5-6 GHz range up to 54 Mbps
80211g 24-5 GHz range up to 54 Mbps
All use CSMACA for multiple access
All have base-station and ad-hoc network versions
80211 LAN architecture
wireless host communicates with base station base station = access
point (AP) Basic Service Set (BSS)
(aka ldquocellrdquo) in infrastructure mode contains wireless hosts access point (AP) base
station ad hoc mode hosts
only
BSS 1
BSS 2
Internet
hub switchor routerAP
AP
IEEE 80211 MAC Protocol CSMACA
80211 sender1 if sense channel idle for DIFS then
transmit entire frame (no CD)2 if sense channel busy then
- start random backoff time- timer counts down while channel idle- transmit when timer expires- if no ACK increase random backoff
interval repeat 2
80211 receiver- if frame received OK
return ACK after SIFS (ACK needed due to hidden terminal problem)
sender receiver
DIFS
data
SIFS
ACK
Collision Avoidance RTS-CTS exchange
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
framecontrol
durationaddress
1address
2address
4address
3payload CRC
2 2 6 6 6 2 6 0 - 2312 4
seqcontrol
80211 frame addressing
Address 2 MAC addressof wireless host or AP transmitting this frame
Address 1 MAC addressof wireless host or AP to receive this frame
Address 3 MAC addressof router interface to which AP is attached
Address 4 used only in ad hoc mode
Internetrouter
AP
H1 R1
AP MAC addr H1 MAC addr R1 MAC addr
address 1 address 2 address 3
80211 frame
R1 MAC addr AP MAC addr
dest address source address
8023 frame
80211 frame addressing
Network Security What is network security Principles of cryptography
Symmetric Key Public Key
Authentication Protocol evolution
Access control firewalls Attacks and counter measures
Packet sniffing IP spoofing DoS attacks
Announcement
Last class
What is network security
The language of cryptography
Public Key Cryptography
Public key cryptography
Public key encryption algorithms
RSA Choosing keys
RSA Encryption decryption
RSA example
RSA Why is that
RSA another important property
Overview
Authentication
Slide 15
Authentication another try
Slide 17
Slide 18
Slide 19
Authentication yet another try
Slide 21
Slide 22
Authentication ap50
ap50 security hole
Slide 25
Slide 26
Firewalls
Firewalls Why
Packet Filtering
Slide 30
Application gateways
Limitations of firewalls and gateways
Slide 33
Internet security threats
Slide 35
Slide 36
Slide 37
Slide 38
Slide 39
Slide 40
Slide 41
Review (1)
Review (2)
Review (3)
Routing Algorithm classification
Dijsktrarsquos Algorithm
Dijkstrarsquos algorithm example
Distance vector algorithm (1)
Distance Vector Algorithm (2)
Slide 50
The Internet Network layer
IP datagram format
IP Addressing introduction
Subnets
IP addressing CIDR
NAT Network Address Translation
Slide 57
Hierarchical Routing
Slide 59
Interconnected ASes
Routing in the Internet
RIP ( Routing Information Protocol)
RIP advertisements
OSPF (Open Shortest Path First)
OSPF ldquoadvancedrdquo features (not in RIP)
Hierarchical OSPF
Slide 67
Internet inter-AS routing BGP
BGP basics
Path attributes amp BGP routes
Why different Intra- and Inter-AS routing
Data Link Layer
Link Layer Services
MAC Protocols a taxonomy
Channel Partitioning MAC protocols TDMA
Slotted ALOHA
Slotted Aloha efficiency
CSMA (Carrier Sense Multiple Access)
CSMA collisions
CSMACD (Collision Detection)
CSMACD collision detection
ldquoTaking Turnsrdquo MAC protocols
ARP Address Resolution Protocol
ARP protocol Same LAN (network)
Routing to another LAN
Slide 86
Ethernet uses CSMACD
Ethernet CSMACD algorithm
Ethernetrsquos CSMACD (more)
CSMACD efficiency
Hubs
Interconnecting with hubs
Switch
Forwarding
Self learning
Switch traffic isolation
Switches vs Routers
Summary comparison
Wireless network characteristics
IEEE 80211 Wireless LAN
80211 LAN architecture
IEEE 80211 MAC Protocol CSMACA
Collision Avoidance RTS-CTS exchange
80211 frame addressing
Slide 105
Network Security
HubsHubs are essentially physical-layer repeaters
bits coming from one link go out all other links at the same rate no frame buffering no CSMACD at hub adapters detect collisions provides net management functionality
bull can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros Enables
interdepartmental communication
Extends max distance btw nodes
If a hub malfunctions the backbone hub can disconnect it
Cons Collision domains are
transferred into one large common domain
Cannot interconnect 10BaseT and 100BaseT hubs
hub
hubhub
hub
Switch Link layer device
stores and forwards Ethernet frames examines frame header and selectively forwards
frame based on MAC dest address when frame is to be forwarded on segment uses
CSMACD to access segment transparent
hosts are unaware of presence of switches plug-and-play self-learning
switches do not need to be configured
Forwarding
bull How to determine onto which LAN segment to forward framebull Looks like a routing problem
hub
hubhub
switch1
2 3
Self learning
A switch has a switch table entry in switch table
(MAC Address Interface Time Stamp) stale entries in table dropped (TTL can be 60
min) switch learns which hosts can be reached through
which interfaces when frame received switch ldquolearnsrdquo location
of sender incoming LAN segment records senderlocation pair in switch table
Switch traffic isolation switch installation breaks subnet into LAN
segments switch filters packets
same-LAN-segment frames not usually forwarded onto other LAN segments
segments become separate collision domains
hub hub hub
switch
collision domain collision domain
collision domain
Switches vs Routers both store-and-forward devices
routers network layer devices (examine network layer headers) switches are link layer devices