2. Routing
Except for LANS like Ethernet that provide direct
connections between all hosts, networks require a
process called routing to identify a path for
communications to travel between nodes. In large
networks, adaptive routing is used, analyzing the
best path between nodes periodically to avoid
congestion and faults such as broken connections.
Routing on a network is the collective
responsibility of the routers located at connection
points between networks or subnets.
3. A Small Personal Router
The Linksys EtherFast®
Cable/DSL Router
connects the Internet to
a home or small office
Ethernet LAN of up to 4
computers or other
devices. It is combined
with an Ethernet
connection switch to
link the devices.
List Price: about $80 in 2006
4. A Large CISCO Router
The Cisco uBR10012
Universal Broadband
Router shown here
supports 64,000
subscribers.
It is a powerful
commercial router
that cost about
$20,000 in 2006.
5. Routing Algorithms
Determining the best path between network
nodes is done by routing algorithms. A routing
algorithm has two parts:
Determine the path taken by each packet in
an efficient manner to avoid degrading
network performance
Monitor traffic and changes to the network to
maintain information on the best paths
through the network
6. Localized Routing
Routing algorithms are distributed through the
network. Each router reads the address of each
packet and decides where to send that packet next.
Locally held information at each router includes the
status of its direct links including information on
congestion and link failures.
Link tables include various routings and their current
known cost in terms of the number of hops to get to
a particular destination. An algorithm seeking a path
to a new destination can request information from
other routers.
7. Timeouts
The Internet uses a timeout mechanism to
identify a message connection failure. It uses a
default timing such as 256 seconds. The same
number may be used as a hop counter. A router
decrements a counter by 1 each time a packet
passes through a router. If the counter reaches
zero the packet is discarded. If the originating
system does not receive a response within the
designated time, a 404 error is displayed.
8. Routing on a local sub net
Packets addressed to hosts on the same
network are transmitted to the destination
in a single hop. Otherwise the packets
must be sent to a router for transmission.
9. Routing Algorithm Example
The Coulouris text shows a sample network (figure
3.7) and routing table (figure 3.8) and discusses a
simple routing algorithm in section 3.3. Those
slides are shown following this one, but are difficult
to use in class because they require frequent
switching back and forth between slides to
understand the process. Students are expected to
understand that example well enough to explain
routing algorithms on a test.
10. Figure 3.7 Network Diagram
A
Hosts
or local
networks
1
3
B
2
Links
4
C
5
D
6
E
Routers
Coulouris et al
11. Figure 3.8 Link Table
Routings from A
To
Link
Cost
A
local
0
B
1
1
C
1
2
D
3
1
E
1
2
Coulouris et al
Routings from B
To
Link
Cost
A
1
1
B
local
0
C
2
1
D
1
2
E
4
1
Routings from D
To
Link
Cost
A
3
1
B
3
2
C
6
2
D
local
0
E
6
1
Routings from C
To
Link
Cost
A
2
2
B
2
1
C
local
0
D
5
2
E
5
1
Routings from E
To
Link
Cost
A
4
2
B
4
1
C
5
1
D
6
1
E
local
0
12. Figure 3.9 Routing Algorithm
part 1
Send: Each t seconds or when Tl changes, send Tl on
each non-faulty outgoing link.
Receive: Whenever a routing table Tr is received on
link n:
for all rows Rr in Tr {
if (Rr.link | n) {
Rr.cost = Rr.cost + 1;
Rr.link = n;
if (Rr.destination is not in Tl) add Rr to
Tl;
// add new destination to Tl (Continued…)
13. Figure 3.9 Routing Algorithm
part 2
else for all rows Rl in Tl {
if (Rr.destination = Rl.destination and
(Rr.cost < Rl.cost or Rl.link = n)) Rl
= Rr;
// Rr.cost < Rl.cost : remote node has
better route
// Rl.link = n : remote node is more
authoritative
}
}
}
Coulouris et al
15. Fault Handling
When a router detects a broken link or similar
failure, it reacts by setting the cost to reach that
link to infinity. This cost will propagate to
neighboring nodes until a node is reached where
a link is active and therefore has a smaller cost.
This will propagate back through neighboring
router tables to create a new shortest path to the
nodes that were connected through the broken
link.
16. Network Congestion
When the load at any particular link reaches
capacity, nodes trying to send traffic through that
link will find their traffic blocked. This results in
available buffer space filling up until nodes must
refuse traffic and discard incoming packets. If
this condition is temporary, it is self correcting as
dropped packets are retransmitted. However, if
congestion is substantial or prolonged, the effect
on network performance is catastrophic.
17. Congestion Control
In general, the approach to controlling congestion is
to inform nodes along the route that congestion is
occurring and requesting those nodes to reduce
their rate of packet transmission.
On the Internet, a large portion of packets are
derived from human interaction, and people
become frustrated and cease making requests to
overly busy nodes, which reduces congestion. In
some cases, denial of service attacks have
deliberately congested prominent Internet sites.
18. Firewalls
With the Internet consisting of many nodes
operated by many people, security problems are
inevitable. Commercial enterprises would not wish
employees access to gambling and pornography
during working hours. Many trade secrets are in
company files, and industrial espionage must be
discourages. Viruses, denial of service attacks and
other threats must be contained. One approach to
these problems is to isolate a more trusted domain
from the rest of the Internet. This is done with
hardware and software “firewalls.”
19. Firewall Security Policies
Service Control: Permit some Internet services
to be accessed and deny others.
Behavior Control: Deny activities that violate
the organization’s policies or which open the
organization to attack or compromise.
User Control: Allow only properly identified
persons access to the network, ensure that any
identified users can only access resources that
are permitted to perform their jobs, and keep
audit records to identify improper activities.
20. Implementing a Firewall
Firewalls use different ways to identify
threats:
IP Packet Filtering
TCP Gateways
Application Level Gateways
Gateways are often implemented on
separate computers referred to as
bastions.
21. IP Packet Filters
Packet filters look at address and service
fields in packet headers and block packets
that are addressed to blocked addresses or
are otherwise likely to be problems. They
may block particular ports known to be used
by problematic services. For example, a
firewall may prevent use of NFS servers by
external clients by blocking port 2049.
23. TCP Gateway
A TCP Gateway process checks all
requests to connect or transmit data. It
ensures that TCP segments are formatted
correctly and that the connections can be
controlled. If desired, the connection
requests are then passed to an
application-level gateway for content
checking.
24. Application Level Gateway
An Application Level Gateway acts as a
proxy for an application process. For
example, if an application wants to perform
an action like making a connection, it can
request the Gateway to do that instead. By
denying direct access to the activity, the
Gateway can verify addresses and data
and perform security checks.
25. Bastions
When gateway processes are required, they are
often run on a separate computer called a bastion
(i.e. fortress). Where security needs are strict, the
bastion can be located in a subnet that controls all
access to the protected network, with a router on
the protected network and another on the network it
is being protected from. This can hide all the
addresses and even the existence of the hosts on
the protected network from the rest of the world,
and also provides a second router if the security on
the first fails.
26. Figure 3.21 Firewalls
a) Filtering router
Router/
filter
Protected intranet
Internet
web/ftp
server
b) Filtering router and bastion
R/filter
Bastion
Internet
web/ftp
server
c) Screened subnet for bastion
R/filter
Internet
web/ftp
server
Coulouris et al
Bastion
R/filter
27. Virtual Private Networks (VPN)
The protection of a firewall boundary can be
extended beyond the protected network by use
of a Virtual Private Network. This combines
encryption, tunneling, and secure authentication
to create a protected link between secure
systems across a public network.
A VPN connection increases system overhead
and reduces throughput, so it may not be
practical if high performance is required.
31. Bibliography
George Coularis, Jean Dollimore and Tim
Kindberg, Distributed Systems, Concepts and
Design, Addison Wesley, Fourth Edition, 2005
Figures from the Coulouris text are from the
instructor’s guide and are copyrighted by
Pearson Education 2005
Router illustrations and product information from
CISCO and Linksys Web sites