Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

Lecture 8Page 1Advanced Network Security

Review of Networking Basics: Internet Architecture, Routing,

and NamingAdvanced Network Security

Peter ReiherAugust, 2014

Lecture 8Page 2Advanced Network Security

Outline

• Basics of Internet architecture

• Routing for the Internet and other networks

• Naming issues in networks

Lecture 8Page 3Advanced Network Security

Internet Architecture

• The Internet is a network of networks• It connects together different networks

– Controlled by different parties– In different geographical locations– Under different legal and political

control– Using different underlying technologies

Lecture 8Page 4Advanced Network Security

So the Internet Isn’t Really This

Lecture 8Page 5Advanced Network Security

It’s More Like This

Except much, much bigger

And much, much more complicated

Lecture 8Page 6Advanced Network Security

High Level Internet Organization

• Subnetworks are considered to be:

– Tier 1 networks

– Tier 2 networks

– Or tier 3 networks

• Definitions of tiers slightly imprecise

• But commonly understood

Lecture 8Page 7Advanced Network Security

Tier 1 Networks• All tier 1 networks interconnect directly

• In essence, the Internet backbone

• Tier 1 networks mostly move data between each other

– Without paying each other per packet or for amount of bandwidth used

• Until it is moved down to lower tier networks for delivery

• Examples: AT&T, Sprint, NTT

Lecture 8Page 8Advanced Network Security

Tier 2 Networks• ISPs that do some peering, but also pay some

other networks for data transit

• Essentially, large ISPs

• They connect to some tier 1 networks

– And to some tier 3 networks

– Perhaps even directly to customers

• Examples: British Telecom, Comcast

Lecture 8Page 9Advanced Network Security

Tier 3 Networks

• ISPs that primarily provide direct service to customers

• They typically connect to one or more tier 2 networks

• Tend to be highly regional

• Usually lower bandwidth networks

• Example: Thang Long Data Center

Lecture 8Page 10Advanced Network Security

How They Fit Together

Lecture 8Page 11Advanced Network Security

Some Basic Internet Policies• Valley-free

– Once traffic goes up in tiers, it doesn’t go down until you get close to delivery• I.e., customer->tier-3->tier-2->tier-1->tier-2->tier-3-

>receiver

• Not customer->tier-3->tier-2->tier-1->tier-2->tier-1->tier2->tier-3->customer

That’s a valley!

• Prefer customer route, then peer, then provider- Go down before sideways- Go sideways before up

• Typical policy, not ironclad rule

Lecture 8Page 12Advanced Network Security

Why Should We Care?• Security solutions at Internet level must match

Internet realities

• Some parties won’t do certain things

– Tier 1 won’t filter packets

• Others might

– Tier 3 might filter packets

• Don’t design solutions based on unrealistic assumptions

Lecture 8Page 13Advanced Network Security

Autonomous Systems• A key organizational concept for the Internet

• Abbreviated “AS”

• A subnetwork run by a single organization

– Whose machines are tightly connected together

• Identified by a unique number

• Often, Internet is viewed as a set of connected ASes

Lecture 8Page 14Advanced Network Security

Internet Routing

• IP assumes the sites it visits know where to send a packet next

• Based on forwarding tables

– Except for the final destination

• How to we build and maintain these tables?

• Routing protocols

Lecture 8Page 15Advanced Network Security

Routing Protocols

• Internet nodes exchange information about how to reach destinations

– Specified by ranges of IP addresses

• Different routing protocols used in different parts of the Internet

• Used to create forwarding tables

Lecture 8Page 16Advanced Network Security

Styles of Routing Protocols• Link state protocols

– Pass around information about state of links• Distance vector protocols

– Pass around information about how far away things are• Path vector protocols

– Pass around paths that can reach various places• Ad hoc protocols

– Search for paths as necessary (typically for mobile scenarios)

Lecture 8Page 17Advanced Network Security

BGP

• A path vector protocol

• The core protocol for routing in the Internet backbone

• Autonomous systems exchange path information

• Can also be used within an AS

Lecture 8Page 18Advanced Network Security

OSPF and RIP

• Protocols used within a single network

• Such as a large company’s network

• OSPF is a link state protocol

• RIP is a distance vector protocol

• Generally only suitable for networks of limited size

Lecture 8Page 19Advanced Network Security

Security Issues for Routing Protocols

• Largely integrity and availability

• Generally, routing info is not regarded as secret

– Though perhaps some of it should be

• None of the original protocols include any integrity mechanisms

• We’ll discuss routing security in detail

Lecture 8Page 20Advanced Network Security

Internet Naming• At the low level, IP addresses are the names

understood by the Internet• But IP addresses are not convenient names for

users– No semantic meaning

• Tying a high level entity to an IP address is limiting

• So we need other names, as well

Lecture 8Page 21Advanced Network Security

Goals of Standard Internet Naming

• To tie some high level name to an IP address

• Generally a name indicating some machine

– Or collection of machines working together

• Not to tie name to a particular data item or user

Lecture 8Page 22Advanced Network Security

Internet Domain Names• A string defining a resource on the Internet

– Like a web site, mail server, etc.• Typically readable by humans• Often 1-to-1 connection between domain name

and a machine– But not always– Several machines can share domain name– One machine can host several domain names

Lecture 8Page 23Advanced Network Security

A Typical Domain Name• lever.cs.ucla.edu

• My research group’s server at UCLA

• Its IP address is 131.179.192.136

• When a person or program wants to send data there, they use the name

• When the Internet delivers packets there, it uses the IP address

• Clearly, we need to translate

Lecture 8Page 24Advanced Network Security

Format of Internet Domain Names

• The domain name is a string divided into components by dots– lever.cs.ucla.edu

• A hierarchical organization– Read right to left– So “edu” is the “highest” level in the example

• Ultimately, translates down to one IP address– Which might be different each time you ask . . .

Lecture 8Page 25Advanced Network Security

Name Translation in the Internet

• Can be done many ways

• But almost always, we use DNS

• DNS = Domain Name Service

• A special service to do these translations

Lecture 8Page 26Advanced Network Security

Basics of DNS• A hierarchical name resolution system

• With lots of caching

• Integrity and availability are big concerns

– Secrecy isn’t

– Name translations are public info

• Basic version does not perform any integrity checking

• We’ll talk about security issues later