5318
1
SOME TOPICS FORCOURSE REVIEW
CSC 249MAY 3 2018
sect Layer 1 ndash applicationsect web browsing email
sect Layer 2 ndash transport data transfer
sect Layer 3 ndash network routing from source to destination
sect Layer 4 ndash link single hop data transfer
sect Layer 5 ndash physical (electrical signals)
application
transport
network
link
physical
5318
2
3
A
B
propagation
transmission
nodalprocessing queueing
We will return to these concepts throughout the semester
4-4
Comparison of basic protocols
sect Push v pull protocol
sect ASCII v binary data
sect Multiple objects in one message or one object per message
sect One v two connections
sect Other comparisons
5318
3
sect process sendsreceives messages tofrom its socket
sect socket analogous to doorsect sending process shoves message out doorsect sending process relies on transport infrastructure on other side of door to
deliver message to socket at receiving process
Internet
controlledby OS
controlled byapp developer
transport
application
physicallink
network
process
transport
application
physicallink
network
processsocket
6
Host A
Seq=92 8 bytes data
ACK=100
loss
tim
eout
Cumulative ACK scenario
Host B
XSeq=100 20 bytes data
ACK=120
time
SendBase= 120
What does lsquoArsquo do next
5318
4
8
sectThe transport layer services aresect
sect
sect
sect
sectThe transport layer does not providesect
sect
sect
sect
5318
5
9
sectTCP Reliability includessect
sect
sect
sect
1
23
0111
value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
routing algorithm determinesend-end-path through network
forwarding table determineslocal forwarding at this router
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
2
3
A
B
propagation
transmission
nodalprocessing queueing
We will return to these concepts throughout the semester
4-4
Comparison of basic protocols
sect Push v pull protocol
sect ASCII v binary data
sect Multiple objects in one message or one object per message
sect One v two connections
sect Other comparisons
5318
3
sect process sendsreceives messages tofrom its socket
sect socket analogous to doorsect sending process shoves message out doorsect sending process relies on transport infrastructure on other side of door to
deliver message to socket at receiving process
Internet
controlledby OS
controlled byapp developer
transport
application
physicallink
network
process
transport
application
physicallink
network
processsocket
6
Host A
Seq=92 8 bytes data
ACK=100
loss
tim
eout
Cumulative ACK scenario
Host B
XSeq=100 20 bytes data
ACK=120
time
SendBase= 120
What does lsquoArsquo do next
5318
4
8
sectThe transport layer services aresect
sect
sect
sect
sectThe transport layer does not providesect
sect
sect
sect
5318
5
9
sectTCP Reliability includessect
sect
sect
sect
1
23
0111
value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
routing algorithm determinesend-end-path through network
forwarding table determineslocal forwarding at this router
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
3
sect process sendsreceives messages tofrom its socket
sect socket analogous to doorsect sending process shoves message out doorsect sending process relies on transport infrastructure on other side of door to
deliver message to socket at receiving process
Internet
controlledby OS
controlled byapp developer
transport
application
physicallink
network
process
transport
application
physicallink
network
processsocket
6
Host A
Seq=92 8 bytes data
ACK=100
loss
tim
eout
Cumulative ACK scenario
Host B
XSeq=100 20 bytes data
ACK=120
time
SendBase= 120
What does lsquoArsquo do next
5318
4
8
sectThe transport layer services aresect
sect
sect
sect
sectThe transport layer does not providesect
sect
sect
sect
5318
5
9
sectTCP Reliability includessect
sect
sect
sect
1
23
0111
value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
routing algorithm determinesend-end-path through network
forwarding table determineslocal forwarding at this router
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
4
8
sectThe transport layer services aresect
sect
sect
sect
sectThe transport layer does not providesect
sect
sect
sect
5318
5
9
sectTCP Reliability includessect
sect
sect
sect
1
23
0111
value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
routing algorithm determinesend-end-path through network
forwarding table determineslocal forwarding at this router
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
5
9
sectTCP Reliability includessect
sect
sect
sect
1
23
0111
value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Interplay between routing and forwarding
routing algorithm determinesend-end-path through network
forwarding table determineslocal forwarding at this router
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
6
Network Layer
sect IP address 32-bit identifier for host router interface
sect interface connection between hostrouter and physical linksect routers typically have
multiple interfacessect host typically has one or two
interfaces (eg wired Ethernet wireless 80211)
sect IP addresses associated with each interface
223111
223112
223113
223114 223129
223122
223121
223132223131
2231327
223111 = 11011111 00000001 00000001 00000001
223 1 11
DHCP server 223125 arrivingclient
time
DHCP discover
src 0000 68 dest 25525525525567yiaddr 0000transaction ID 654
DHCP offersrc 223125 67dest 255255255255 68yiaddr 223124transaction ID 654Lifetime 3600 secs
DHCP requestsrc 0000 68dest 255255255255 67yiaddr 223124transaction ID 655Lifetime 3600 secs
DHCP ACKsrc 223125 67 dest 255255255255 68yiaddr 223124transaction ID 655Lifetime 3600 secs
yiaddr = lsquoyour internet addressrsquobroadcast address 255255255255 agrave sent to every host in the subnet
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
7
13
1
23
0111
Address value in arrivingpackets header
routing algorithm
local forwarding tableheader value output link
0100010101111001
3221
Oslash Create versus use the forwarding table
RoutingAlgorithm
bull Individual routing algorithm is run in each and every router bull Routers interact with each other in ldquocontrol planerdquo to compute forwarding
tablesbull Traditional approach
dataplane
controlplane
41 bull OVERVIEW OF NETWORK LAYER 309
tables In this example a routing algorithm runs in each and every router and both forwarding and routing functions are contained within a router As wersquoll see in Sec-tions 53 and 54 the routing algorithm function in one router communicates with the routing algorithm function in other routers to compute the values for its forward-ing table How is this communication performed By exchanging routing messages containing routing information according to a routing protocol Wersquoll cover routing algorithms and protocols in Sections 52 through 54
The distinct and different purposes of the forwarding and routing functions can be further illustrated by considering the hypothetical (and unrealistic but technically feasible) case of a network in which all forwarding tables are configured directly by human network operators physically present at the routers In this case no routing protocols would be required Of course the human operators would need to interact with each other to ensure that the forwarding tables were configured in such a way that packets reached their intended destinations Itrsquos also likely that human configu-ration would be more error-prone and much slower to respond to changes in the net-work topology than a routing protocol Wersquore thus fortunate that all networks have both a forwarding and a routing function
Values in arrivingpacketrsquos header
1
23
Local forwardingtable
header
0100011001111001
1101
3221
output
Control plane
Data plane
Routing algorithm
Figure 42 diams Routing algorithms determine values in forward tables
M04_KURO4140_07_SE_C04indd 309 110216 314 PM
1
2
0111
values in arriving packet header
3
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
8
230100 1101
values in arrivingpackets header
logically-centralized routing controller
1
control plane
data plane
Each router contains a flow table that is computed and distributed by a centralized routing controller
local flow tableheaders counters actions
16
collisions can still occurpropagation delay means two nodes may not heareach otherrsquos transmission
collisionentire packet transmission time wasted
spatial layout of nodes
noterole of distance amp propagation delay in determining collision probability
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
9
17
18
q Hubv
v
q Switchv
v
q Router v
v
q SDN Packet Switchv
v
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
10
20
Link Differences from wired link hellip
sect decreasing signal strength EM signal attenuates as it propagates through matter (path loss)
sect interference from other sources wireless network frequencies (eg 24 GHz) shared by other devices (eg phone microwave)
sect multipath propagation EM signal reflects off objects arriving at destination at slightly different times (like echoing)
hellip make communication across (even a point to point) wireless link much more error-prone
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
11
network Multiple wireless senders and receivers create
additional problems (beyond multiple access)
AB
C
Hidden terminal problem
A B C
Arsquos signalstrength
space
Crsquos signalstrength
Signal fading
22
APA B
time
RTS(A)RTS(B)
RTS(A)
CTS(A) CTS(A)
DATA (A)
ACK(A) ACK(A)
reservation collision
defer
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
12
23
Permanent address 12811940186
Care-of address 79129132
dest 12811940186
packet sent by correspondent
dest 79129132 dest 12811940186
packet sent by home agent to foreign agent a packet within a packet
dest 12811940186
foreign-agent-to-mobile packet
1)
2)
3)
4)
Provided via
1)
2)
3)
4)
5)
6)
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
13
symmetric key crypto Bob and Alice share same (symmetric) key K
sect eg key is knowing substitution pattern in mono alphabetic substitution cipher
Q how do Bob and Alice agree on key value
plaintextciphertext
K S
encryptionalgorithm
decryption algorithm
S
K S
plaintextmessage m
K (m)S
m = KS(KS(m))
Network Security
plaintextmessage m
ciphertextencryptionalgorithm
decryption algorithm
Bobs public key
plaintextmessageK (m)B
+
K B+
Bobs privatekey
K B-
m = K (K (m))B+
B-
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
14
large message
mH Hashfunction H(m)
digitalsignature(encrypt)
Bobs private
key K B-
+
Bob sends digitally signed message
Alice verifies signature integrity of digitally signed message
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
Bobs public
key K B+
equal
Digital signature = signed message digest
sect Alice Bob need shared symmetric key
sect KDC server sharesknows different secret key for each registered user (many users)sect Alice Bob know own symmetric keys KA-KDC KB-KDC for communicating with KDC
sect Permanent static existence of these lsquoidentityrsquo keys
q KDC creates a unique single use ldquosession keyrdquo for each new communication between Alice and Bob
KB-KDC
KX-KDC
KY-KDC
KZ-KDC
KP-KDCKB-KDC
KA-KDC
KA-KDCKP-KDC
KDC
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
15
sect certification authority (CA) binds public key to particular entity E
sect E (person router) registers its public key with CAsect E provides proof of identity to CA sect CA creates certificate binding E to its public keysect certificate containing Es public key digitally signed by CA ndash CA says this is Es public key
Bobs public
key K B+
Bobs identifying
information
digitalsignature(encrypt)
CA private
key K CA-
K B+
certificate for Bobs public key
signed by CA
sect Multimedia applications can be classified into three categories Name and describe each category
sect Streaming video systems can be classified into three categories (three stages in protocol evolution) Name and briefly describe each of these categories
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
16
sect Client Bufferingsect Streaming (iii) client begins viewing a few seconds after receiving the
first video chunk at one location in the video whilehellip (ii) the client also is receiving later portions of the video whilehellip (iii) the server continues to send the videosect Avoids the need to download and store the entire video and so incur a delay in
playback if waited to download whole video
sect Pre-fetching Datasect Downloadreceive the video frames at a rate higher than the
consumption rate (frames to be viewed in the future)sect Prefetched video is stored in the client application buffersect Occurs naturally with TCP streaming and congestion avoidance
mechanism
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
17
dataplane
controlplane
Remote Controller
CA
CA CA CA CA
1 generalizedldquo flow-basedrdquo forwarding (eg OpenFlow)
2 control data plane separation
3 control plane functions external to data-plane switches
hellip4 programmable
control applications
routing access control
loadbalance
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
18
IP Src = 103IP Dst = 102 forward(3)
match action
ingress port = 2IP Dst = 10203ingress port = 2IP Dst = 10204
forward(3)
match action
forward(4)ingress port = 1IP Src = 103IP Dst = 102
forward(4)
match action
Host h110101
Host h210102
Host h410204
Host h310203
Host h510305
s1 s2
s312
3 4
1
2
34
1
23
4
Host h610306
controller
Examplebull datagrams from hosts
h5 and h6bull should be sent to h3
or h4bull via s1 and from there
to s2bull Avoid direct link from
s3 to s2
44
Step012345
start NrsquoA
ADADE
ADEBADEBC
ADEBCF
D(B)p(B)2A2A2A
D(C)p(C)5A4D3E3E
D(D)p(D)1A
D(E)p(E)infinity
2D
D(F)p(F)infinityinfinity
4E4E4E
A
ED
CB
F2
21
3
1
1
2
53
5
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
19
45
X Z12
7
Y
D (YZ)X c(XZ) + min D (Yw)w== 7+1 = 8
Z
D (ZY)X c(XY) + min D (Zw)w=
= 2+1 = 3
Y
46
a
b
b
a
aC
A
B
d
Aa
Ac
CbBa
c
b
c
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
20
sect What is the difference between a forwarding table for destination-based forwarding and OpenFlowrsquos flow table
sect Each entry in the forwarding table of a destination-based forwarding contains
1 Only an IP header field value and 2 The outgoing link interface to which a packet (that matches the IP
header field value) is to be forwarded
sect Each entry of the flow table in OpenFlow includes 1 A set of header field values to which an incoming packet will be
matched2 A set of counters that are updated as packets are matched to flow table
entries (number of packets matched time since last updatehellip)3 A set of actions to be taken when a packet matches a flow table entry
such as forward duplicate drop rewrite header fieldhellip
48
1 Adaptor receives datagram from network layer amp creates frame
2 If adapter senses channel idle (senses for 96 bit-times) it starts to transmit frame If it senses channel busy it waits until channel is idle
3 If adapter transmits entire frame without detecting another transmission the adapter is done with frame
4 If adapter detects another transmission while transmitting it aborts and sends jam signal
5 After aborting adapter enters exponential backoff 1 After the mth collision adapter chooses a K at random from
012hellip2m-1 2 Adapter waits K512 bit times and returns to Step 2
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS
5318
21
q Alice wants to provide secrecy sender authentication amp message integrity hellipHow
q Alice uses three keys her private key Bobrsquos public key the newly created symmetric key
q What does Bob do to retrieve the msg amp be sure it came from Alice
H( ) KA( )-
+
KA(H(m))-
m
KA
-
m
KS( )
KB( )++
KB(KS )+
KS
KB+
Internet
KS