2. What are we selling ?
customer satisfaction !
It’s all about
customer satisfaction
3. Agenda
Introduction
What is a network
OSI 7 layer model
The physical layer and the date link layer
The network layer – IP
The transport layer
The application (and session and presentation layer)
End to end – full stuck
Advanced issues
Security
MPLS
Signaling
4. Networking
Communication between two or more devices.
Parts required for Networking:
Host
Computer, networked printer, etc.
Sends/receives data for network to card
Card
Every card on a network has to have a unique address
Card breaks outgoing data into packets and addresses them
Card receives packets addressed to it and re-assembles
packets to data
Wire
Transmits packets across network
For this discussion includes all wires, radios and devices
between network cards (including hubs, switches, access
points, etc.)
5. 5 Basic Components
Every communication system has 5 basic requirements
•Data Source (where the data originates)
•Transmitter (device used to transmit data)
•Transmission Medium (cables or non cable)
•Receiver (device used to receive data)
•Destination (where the data will be placed)
6. NETWORKS: categorized by size
•LAN – a network that connects computers in a limited
geographical area.
•MAN – a backbone that connects LANs in a
metropolitan area such as a city and handles the bulk
of communications activity across that region.
•WAN – covers a large geographical area such as a
city or country. Communication channels include
telephone lines, Microwave, satellites, etc.
•PAN
7. What is a standard ?
A standard specification is an explicit set of
requirements for an item, material, component, system or
service. It is often used to formalize the technical aspects
of a procurement agreement or contract.
A technical standard is an
established norm or requirement about
technical systems. It is usually a formal document that
establishes uniform engineering or technical criteria,
methods, processes and practices. In contrast, a
custom, convention, company product, corporate standard,
etc. which becomes generally accepted and dominant is
often called a de facto standard.
10. OSI 7 Layer Model
Application
OSI - Open Systems
Interconnection (Basic Presentation
Reference Model)
Each level is an independent Session
set of protocols
Each level can be change Transport
seamlessly
Network
Data Link
Physical
11. 5 Layer model
Application
Presentation Application
Session
Transport Transport
Network Network
Data Link Data Link
Physical Physical
12. OSI Layers
OSI Model
Data unit Layer Function
7. Application Network process to application
Data representation, encryption and
Data 6. Presentation
decryption
5. Session Interhost communication
End-to-end connections and reliability,
Segments 4. Transport
Flow control
Path determination and logical
Packet 3. Network
addressing
Frame 2. Data Link Physical addressing
Bit 1. Physical Media, signal and binary transmission
Going from layer 7 to 1: All People Seem To Need Data Processing
12
13. The flow
Web server
Samuel
Browser Web Site
read(s1, dataBlock) send(s2, dataBlock)
Transport (TCP) Transport (TCP)
Router
1 2 3 4 5 1 2 3 4 5
Network (IP) Network (IP) Network (IP)
1 2 3 4 5 1 2 3 1 2 3 4 5
Link (WLAN) Link Link (WLAN)
1 2 3 4 5 1 2 3 1 2 3 4 5
Physical Physical Physical
14. 5 Layer model (TCP/IP)
Application – Represent the
end user and the application he
Application
use (mail, browse, FTP, etc.)
Transport - end-to-end
message transfer, along with
error control, fragmentation
and flow control.
Network (AKA Internet) – Transport - TCP
responsible on getting packets
of data from source to Network - IP
destination.
Link - processes of Link
transmitting receiving packets
on a given link layer
16. Layer1: Physical Layer
The Physical Layer defines the electrical and
physical specifications for devices. In particular,
it defines the relationship between a device
and a physical medium.
This includes the layout of pin, voltages, cable
specification, hubs, repeaters, network
adapters, host bus adapters, and more.
18. Wire Types (cont.)
Fiber
10/100/1000/10,000 Mb
Multi-mode – Long Haul (20 km)
Single-mode – ―Short Haul‖ (3 Km)
what we use
Carries light, not electricity
Wireless
Speeds 11/7 Mb, 54/27Mb
Because of encryption and connection
upkeep, available bandwidth is about
½ of stated speed
Common ―mediums‖
InfraRed (IR)
Microwave, (long distances)
Radio
Licensed/private
Un-licensed (802.11b/g/a)
19. Twisted Pair Cables
• Unshielded Twisted Pair Cable (UTP)
• most popular
• maximum length 100 m
• more susceptible to noise
• EIA/TIA 568 Commercial Building Wire Standard
Category 1 Voice transmission of traditional telephone
Category 2 For data up to 4 Mbps, 4 pairs full-duplex
Category 3 For data up to 10 Mbps, 4 pairs full-duplex
Category 4 For data up to 16 Mbps, 4 pairs full-duplex
Category 5 For data up to 100 Mbps, 4 pairs full-duplex
Category 6 For data up to 1000 Mbps, 4 pairs full-duplex
19
20. Shielded Twisted Pair Cable (STP)
• Shielding to reduce crosstalk
• Crosstalk: signal from one line getting mixed with signals from
another line
• Connector
• RJ-45 computer connector (8 wires)
Pin T568A T568B
1 Rx+ Tx+
2 Rx- Tx-
3 Tx+ Rx+
4 Unused Unused
5 Unused Unused
6 Tx- Rx-
7 Unused Unused
8 Unused Unused
20
21. Straight and Cross connections
Case 1
T568A T568B
Cross-over cable
Case 2 Case 3
Wall Cross-over cable
T568B plate
T568B Hub
Straight through cable
Straight through cable
21
24. Layer 2: Data Link Layer
The Data Link Layer provides the functional
and procedural means to transfer data
between network entities and to detect and
possibly correct errors that may occur in the
Physical Layer.
Originally, this layer was intended for
point-to-point and point-to-multipoint media,
characteristic of wide area media in the
telephone system.
The data link layer is divided into two
sub-layers by IEEE.
24
25. Layer 2: MAC & LLC
Layer 2 sub-layers :
Media Access Control (MAC)
Logical Link Control (LLC).
MAC is lower sub-layer, and it defines the way about the
media access transfer, such as CSMA/CD/CA(Carrier Sense
Multiple Access/Collision Detection/Collision Avoidance)
LLC provides data transmission method in different
network. It will re-package date and add a new header.
25
26. The Channel Access Problem
Multiple nodes share a channel
A B C
Pairwise communication desired
Simultaneous communication not possible
MAC Protocols
Suggests a scheme to schedule communication
Maximize number of communications
Ensure fairness among all transmitters
26
27. The Trivial Solution
A B C
collision
Transmit and pray
Plenty of collisions --> poor throughput at high load
27
28. The Simple Fix
Don’t
transmit
A B C
Can collisions still occur?
Transmit and pray
Plenty of collisions --> poor throughput at high load
Listen before you talk
Carrier sense multiple access (CSMA)
Defer transmission when signal on channel
28
29. CSMA collisions
spatial layout of nodes
Collisions can still occur:
Propagation delay non-zero
between transmitters
When collision:
Entire packet transmission
time wasted
note:
Role of distance & propagation
delay in determining collision
probability
29
30. CSMA/CD (Collision Detection)
Keep listening to channel
While transmitting
If (Transmitted_Signal != Sensed_Signal)
Sender knows it’s a Collision
ABORT
30
31. 2 Observations on CSMA/CD
Transmitter can send/listen concurrently
If (Transmitted - Sensed = null)? Then success
The signal is identical at Tx and Rx
Non-dispersive
The TRANSMITTER can detect if and
when collision occurs
31
32. Unfortunately …
Both observations do not hold for wireless
Because …
32
38. Ethernet II (DIX) Framing
A frame is the unit of transmission in a link layer protocol, and consists of
a link-layer header followed by a packet.
MAC Addresses are 48-bit (6 byte) identifiers unique to each NIC.
EtherType (2 byte/16-bit) describes which protocol is encapsulated in the
frame data – IPv4, IPv6, IBoE, FCoE, etc.
(http://standards.ieee.org/regauth/ethertype/eth.txt)
39. There is a “small problem”
IEEE 802.3 Frame Format
Preamble Des. Add Sour. Add Length Data FCS
7 1 2/6 2/6 2 46 - 1500 Bytes 4
Bytes Byte Bytes Bytes Bytes Bytes
40. MAC Header, Source/Destination addresses
MAC Addresses are 48-bit (6 byte) identifiers unique to each Network Interface.
• Individual/Group Address Bit
• Universally/Locally administered address bit
• Organizationally unique identifier (OUI, a 22-bit field assigned by the IEEE)
(bits 3-24)
• NIC-specific unique address (OUA, a 24-bit number assigned by the
manufacturer)
42. Bridge
Large networks can be separated into two or more smaller networks
using a bridge.
This is done to increase speed and efficiency. This type of network is
called a segmented LAN and has largely been superseded by the use of
switches which can transfer data straight to a computer and thus avoid
bottleneck jams which bridges were designed to fix.
Bridge
43. Gateway
Often used to connect a LAN with a WAN.
Gateways join two or more different networks together.
Gateway
44. Repeater
Signal attenuation is corrected by repeaters that
amplify signals in physical cabling.
Repeaters are part of the network medium (Layer 1).
In theory, they are dumb devices functioning entirely
without human intervention. However, some
repeaters now offer higher-level services to assist
with network management and troubleshooting.
44
46. Layer 3: Network Layer
The Network Layer provides the functional
and procedural means of transferring variable
length data sequences from a source to a
destination via one or more networks, while
maintaining the quality of service requested
by the Transport Layer.
46
47. Layer 3: Network Layer
The Network Layer performs
network routing functions,
perform fragmentation and reassembly,
report delivery errors.
Routers operate at this layer—sending
data throughout the extended network
and making the Internet possible.
47
49. IP v.4 header
Version (4 bits) – 6 or 4
Hlen (4 bits) - Header length in 32 bit words, without
options (usual case) = 20
Type of Service (TOS 8 bits): now being used for QoS
Total length (16 bits) - length of datagram in bytes,
includes header and data
Time to live (TTL 8bits) - specifies how long datagram is
allowed to remain in internet (how many hops)
Protocol (8 bits) - specifies the format of the data area
Protocol numbers administered by central authority to guarantee
agreement, e.g. TCP=6, UDP=17 …
50. IP Address
Unique addresses in the world
An IP address is 32 bits, noted in dotted decimal
notation: 192.78.32.2
Host and Prefix Part
An IP address has a prefix and a host part:
prefix:host
Prefix identifies a subnetwork
used for locating a subnetwork – routing
Prefix is usually identified in a host using a ―subnet
mask‖
51. Using a mask: address + mask
the mask is the dotted decimal representation of
the string made of : 1 in the prefix, 0 elsewhere
bit wise address & mask gives the prefix
example 1: 128.178.156.13 mask 255.255.255.0
here: prefix is 128.178.156.0
example 2: 129.132.119.77 mask 255.255.255.192
Q1: what is the prefix ?
Q2: how many host ids can be allocated ?
52. Address + Mask (example 2)
129.132.119.77 mask 255.255.255.192
▪ Q1: what is the prefix ? A: 129.132.119.64
129 132 119 77
1000 0001 1000 0100 0111 0111 0100 1101
255 255 255 192 64 addresses
1111 1111 1111 1111 1111 1111 1100 0000
26 6
129 132 119 64
1000 0001 1000 0100 0111 0111 0100 0000
Q2: how many host ids can be allocated ?
▪ A: 64 (minus the reserved addresses: 62)
57. Major Changes and Additions in IPv6
● Larger Address Space: Addresses are 128 bits long instead of 32 bits.
● Hierarchical Assignment of Addresses: Allows for multiple levels of
network and subnetwork hierarchies both at the ISP and organizational level.
● Better Support for Non-Unicast Addressing: Support for
multicasting is improved, and new type of addressing: anycast addressing.
● Auto-configuration and Renumbering: auto-configuration of hosts
and renumbering of the IP addresses in networks and subnetworks as
needed.
● New Datagram Format: The main header of each IP datagram
has been streamlined, and support added for easily extending the
header for datagrams requiring more control information.
● Improved Support for Quality of Service and Security
● Updated Fragmentation and Reassembly Procedures:
fragmentation and reassembly of has been changed, IPv6 improve
efficiency of routing.
● Modernized Routing Support: The IPv6 protocol support modern
routing systems, and to allow expansion as the Internet grows.
59. IP v.4 header
Version (4 bits) – 6 or 4
Hlen (4 bits) - Header length in 32 bit words, without
options (usual case) = 20
Type of Service (TOS 8 bits): now being used for QoS
Total length (16 bits) - length of datagram in bytes,
includes header and data
Time to live (TTL 8bits) - specifies how long datagram is
allowed to remain in internet (how many hops)
Protocol (8 bits) - specifies the format of the data area
Protocol numbers administered by central authority to guarantee
agreement, e.g. TCP=6, UDP=17 …
60. IP v.6 header
Version (4 bits) – 6 or 4
Traffic Class (8 bits) - traffic priority delivery value.
Flow Label. 20 bits.
Used for specifying special router handling from source to
destination(s) for a sequence of packets.
Payload Length (16 bits) - Specifies the length of the data
Hop Limit (8 bits) - the same as TTL in the IPv4
Source address. 16 bytes.
Destination address. 16 bytes.
61. IPv6 address – 128 bit
IPv6 address is made of two parts: prefix and suffix (I.e interface-ids)
64 bits 64 bits
and hierarchical prefix suffix
structure (that depends on format prefix, FP)
prefix: FP – Format prefix
FP TLA NLA SLA
TLA - Top-Level Aggregators
suffix: NLA - Next-Level Aggregators
Interface ID SLA – Service level Agreements
Link-local address (mandatory) is unique within a "link".
1111111010 54 '0' 64 bits
bits suffix
62. IPv6 Autoconfiguration and Renumbering
RFC 2462, IPv6 Stateless Address Autoconfiguration.
IPv6 includes stateless address autoconfiguration feature, which allows a
host to determine its own IPv6 address from its Layer 2 address.
The concept: A device generates a temporary address until it can
determine the characteristics of the network it is on. Then creates a
permanent address it can use based on that information.
In the case of multi-homed devices: Autoconfiguration is performed for
each interface separately
Stateless address autoconfiguration Stateful address
No central server needed to aid in address autoconfiguration
configuration
Central server allocates full addresses
Node forms its own suffix, checks if it is unique
to nodes on request
Node obtains prefix(es) from the nearest
DHCPv6 is the current protocol for
router
stateful address autoconfiguration
63. IPv6 Extended Unique Identifier (EUI-64)
RFC 2464
IPv6 link-local addresses and statelessly autoconfigured addresses
on Ethernet networks
used in Router Solicitation, Router Advertisement, Neighbor Solicitation,
Neighbor Advertisement and Redirect messages
48-bit MAC address
64-bit IPv6 EUI
64. IPv6 address Types
Unicast (1:1)
communicate specified one computer
Anycast addresses :
nearest node of a set of nodes
RFC 4291 currently specifies the following restrictions on anycast addresses:
An anycast address must not be used as the source address of a packet.
Any anycast address can only be assigned to a router
currently only used to address
routers
Multicast (1:n)
communicate group of computers
No more broadcast in use
65. Representation of IPv6 addresses
Colon hexadecimal notation -
805B:2D9D:DC28:0000:0000:FC57:D4C8:1FFF
Leading zeroes can be suppressed in the notation
805B:2D9D:DC28:0:0:FC57:D4C8:1FFF
Zero Compression in IPv6 Addresses
805B:2D9D:DC28::FC57:D4C8:1FFF
The double-colon can appear only once in any IP address.
IPv6 addresses can embed IPv4. The notation has the first 96 bits in
colon hex notation, and the last 32 bits in dotted decimal. eg
::212.200.31.255
Prefix notation can be used as with classless IPv4 addressing with
CIDR.
Example: 805B:2D9D:DC28::FC57:D4C8:1FFF/48
66. So why isn’t it here yet ?
No clear move to IPv6
Lack of smooth migration plans
Investments in IPv4
Software availability - Available from Microsoft Windows XP sp2
Developments in IP v4
Use of NAT
CIDR
Planning of Hierarchies and use of Autonomous Areas
IPsec implemented in IPv4
Other Points
Router Upgrades to handle IPv6 – OSPFv3
67. IPv6/IPv4 Servers
Dual Server
The most important issue will be to create servers that handle both
IPv4 and IPv6
The Server Operating System will contain protocol stacks for both
IPv4 and IPv6
IPv6
IPv4 IPv6
server
client client
TCP TCP
TCP
IPv4 IPv6 IPv4 IPv6
Datalink Datalink Datalink
68. Tunneling IPv6 over IPv4
Transport
IPv6 Header Data
Header
IPv6 Dual-Stack Dual-Stack IPv6
Host Router Router Host
IPv6 IPv4 IPv6
Network Network
Tunnel: IPv6 in IPv4 packet
Transport
IPv4 Header IPv6 Header Data
Header
IPv6 can operate within a closed or private network environment
Currently across a public networks, such as the Internet, have to cross an
IPv4 domain
IPv6 packets can be encapsulated within IPv4
Encapsulated packets can then travel transparently across an IPv4 routing domain
Tunneling can be used by routers and hosts
69. Network Address Translation (NAT)
Possible solution to address space exhaustion
Kludge (but useful)
Sits between your network and the Internet
Translates local network layer addresses to
global IP addresses
Has a pool of global IP addresses (less than
number of hosts on your network)
Uses special unallocated addresses (RFC 1597)
locally
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
69
70. NAT Illustration
Pool of global IP
Destination addresses Source
G P
Global Private
Internet Network
Dg Data
Sg NAT Dg Sp Data
• Operation: Source (S) wants to talk to Destination (D):
• Create Sg-Sp mapping
• Replace Sp with Sg for outgoing packets
• Replace Sg with Sp for incoming packets
• How many hosts can have active transfers at one time?
70
71. Problems with NAT
What if we only have few (or just one) IP address?
Use Network Address & Port Translator (NAPT)
NAPT translates:
Translates addrprivate + flow info to addrglobal + new flow
info
Uses TCP/UDP port numbers
Potentially thousands of simultaneous connections with
one global IP address
71
72. Problems with NAT
Hides the internal network structure
Some consider this an advantage
Some protocols carry addresses
E.g., FTP carries addresses in text
What is the problem?
Must update transport protocol headers (port number &
checksum)
Encryption
No inbound connections
72
74. Fragmentation
IP packets can be up to 64KB
Different link-layers have different MTUs
(Max Transfer Unit. Ethernet=1500B)
Split IP packet into multiple fragments
IP header on each fragment
Intermediate router may fragment as needed
74
76. Reassembly
Where to do reassembly?
End nodes
Avoids unnecessary work where large packets
are fragmented multiple times
Dangerous to do at intermediate nodes
How much buffer space required at routers?
What if routes in network change?
Multiple paths through network
All fragments only required to go through
destination
76
77. IP Fragmentation and Reassembly
length ID fragflag offset
=4000 =x =0 =0
One large datagram becomes
several smaller datagrams
length ID fragflag offset
=1500 =x =1 =0
length ID fragflag offset
=1500 =x =1 =1500
length ID fragflag offset
=1000 =x =0 =3000
77
78. Fragmentation is Harmful
Uses resources poorly
Forwarding costs per packet
Best if we can send large chunks of data
Worst case: packet just bigger than MTU
Poor end-to-end performance
Loss of a fragment
Reassembly is hard
Buffering constraints
78
79. Path MTU Discovery
Hosts dynamically discover minimum MTU of path
Algorithm:
Initialize MTU to MTU for first hop
Send datagrams with Don’t Fragment bit set
If ICMP ―pkt too big‖ msg, decrease MTU
What happens if path changes?
Periodically (>5mins, or >1min after previous increase),
increase MTU
Some routers will return proper MTU
MTU values cached in routing table
79
81. Layer 4: Transport Layer
The Transport Layer provides transparent transfer of data
between end users, providing reliable data transfer services
to the upper layers.
The Transport Layer controls the reliability of a given link
through flow control, segmentation/desegmentation, and
error control.
81
82. Layer 4: Transport Layer
Feature Name TP0 TP1 TP2 TP3 TP4
Connection oriented network Yes Yes Yes Yes Yes
Connectionless network No No No No Yes
Concatenation and separation No Yes Yes Yes Yes
Segmentation and reassembly Yes Yes Yes Yes Yes
Error Recovery No Yes No Yes Yes
Reinitiate connection (if an
excessive number of PDUs are No Yes No Yes No
unacknowledged)
multiplexing and demultiplexing
No No Yes Yes Yes
over a single virtual circuit
Explicit flow control No No Yes Yes Yes
Retransmission on timeout No No No No Yes
Reliable Transport Service No Yes No Yes Yes
82
83. TCP - Transmission Control Protocol
Connection oriented - Reliable stream transport
Conceptually, two ends communicate to agree on
details
After agreeing application notified of connection
During transfer, ends communicate continuously to
verify data received correctly
When done, ends tear down the connection
Provides buffering and flow control
Takes care of lost packets, out of order,
duplicates, long delays
Usually used for browsing, FTP, Mail, etc.
84. UDP- User Datagram Protocol
Connectionless Datagram- Not Reliable transport
Minimal overhead, high performance
No setup/teardown, 1 datagram at a time
Application responsible for reliability
Includes datagram loss, duplication, delay, out-of-sequence,
multiplexing, loss of connectivity
Usually used for Voice & Video streaming,
broadcasting, etc.
85. TCP vs. UDP data format
0 4 8 16 24 31
Source port Destination port
0 8 16 24 31
Sequence number
Source port Destination port
Acknowledgement number
UDP message len Checksum (opt.)
Hlen Res Code Window
Data
v
Checksum Urgent ptr
…
Options (if any) Padding
Data if any
…
86. TCP data format
Port - TCP port numbers to ID applications at both ends
of connection
Sequence number - ID position in sender’s byte stream
Acknowledgement - identifies the number of the byte
the sender of this segment expects to receive next
Hlen - specifies the length of the segment header in 32 bit
multiples. If there are no options, the Hlen = 5 (20 bytes)
Code - used to determine segment purpose, e.g. SYN,
ACK, FIN, URG
87. TCP data format (cont.)
Window - Advertises how much data this station is willing
to accept. Can depend on buffer space remaining.
Checksum -Verifies the integrity of the TCP header and
data. It is mandatory.
Urgent pointer - used with the URG flag to indicate
where the urgent data starts in the data stream. Typically
used with a file transfer abort during FTP or when pressing
an interrupt key in telnet.
Options -used for window scaling, SACK, timestamps,
maximum segment size etc.
89. Layer 5: Session Layer
The Session Layer controls the dialogues (connections)
between computers.
It establishes, manages and terminates the connections
between the local and remote application.
It provides for full-duplex, half-duplex, or simplex operation,
and establishes checkpointing, adjournment, termination,
and restart procedures.
89
90. Layer 6: Presentation Layer
The Presentation Layer establishes a context
between Application Layer entities, in which the
higher-layer entities can use different syntax and
semantics, as long as the presentation service
understands both and the mapping between them.
This layer provides independence from differences in
data representation (e.g., encryption) by translating
from application to network format, and vice versa.
This layer formats and encrypts data to be sent
across a network, providing freedom from
compatibility problems.
It is sometimes called the syntax layer.
90
91. Layer 7: Application Layer
The application layer is the OSI layer
closest to the end user, which means that
both the OSI application layer and the user
interact directly with the software
application.
Application layer functions typically include:
identifying communication partners,
determining resource availability,
synchronizing communication.
91
92. URL
A standard scheme for compactly identifying any
document on any Web server
Components:
A protocol name: http, rtp, rtsp
://
A server domain name or server IP address
A path to a resource ( an HTML file or a CGI script)
System Name Path Name
http://today@poly.edu:999/ee-dept/event.html
Service Type: http, telnet, Port Number: File Name
ftp, gopher, … specified if
non-default
port is used
92
93. HyperText Transfer Protocol (HTTP)
Application layer protocol
Distributes information in the WWW
Based on the client/server architecture
HTTP client (web browser): sends a request to a server for a file
HTTP server (web server): well-known port number 80, responds
with the requested file if it is available
A single TCP connection is used
web browser web server
request
HTTP HTTP
response
TCP TCP
IP IP
Network Network
93
94. HTTP Messages
English-based and flexible, not code-based as
lower layer protocols
Components of an HTTP message:
A start-line
Optional headers, each has a header name and a
value
A blank line (a ―rn‖ only)
The requested file or other data in an HTTP response.
94
95. HTTP Request Message
Request Line:
Request Type
URL
HTTP version
Optional Headers
Header name
Value
A blank line
The Request Type defines methods in messages
GET, HEAD – retrieve a full document or some info about a document from the
server
PUT, PATCH – provide a new/replacement document or a list of difference to
implement in an existing document to the server
COPY, MOVE, DELETE – copy, move, or delete a document
……
95
96. HTTP Response Message
Status Line:
HTTP version
Status Code
Status phrase
Optional Headers
Header name
Value
A blank line
Data Body
The Status Code is similar to those in the FTP and the SMTP protocol with 3
digits
The Status Phrase explains the status code such as continue, switching, OK,
accepted, no content, multiple choices, bad request, unauthorized, forbidden,
not found, internal server error, service unavailable, … …
96
97. HTTP TCP Connections
The client first establishes a TCP connection to the
server before an HTTP request
The server may terminate the TCP connection after the
HTTP response is sent
For embedded objects in a HTML file
The client sends a request for each embedded object
In HTTP/1.0, the client establishes a TCP connection for each
request, not efficient for a file with many embedded objects
In HTTP/1.1, persistent connections are supported
All embedded objects are sent through the TCP connection
established for the first request
Both the client and server have to enable the persistent connection
feature
97
98. HTTP Requests & Responses
open
web browser web server
opened
HTTP HTTP
request
TCP TCP
response
IP close IP
Network closed Network
HTTP has four stages: Open, Request, Response, Close
A TCP session for HTTP/1.0 does not stay open and wait for
multiple requests/responses – not efficient when HTML file has
many embedded objects like pictures
HTTP/1.1 supports persistent connections that allow all the
embedded objects sent through the same TCP connection
98
99. HTTP Proxies
proxy
web browser request request web server
HTTP
HTTP HTTP
response TCP response
TCP TCP
IP
IP IP
Network
Network Network
Cache
Proxy server acts as both a client and server
receiving client’s initial requests, translating requests, passing
requests to other servers
Proxies can be used with firewalls to block undesired traffic
Cache feature of a Web proxy server reduces network traffic by
saving recently viewed pages on the disk driver
99
100. DHCP
Dynamic Host Configuration Protocol (DHCP) is
designed, to dynamically configure TCP/IP hosts in a
centralized manner from DHCP server.
DHCP server maintains a collection of configuration
parameters, such as IP addresses, subnet mask, default
gateway IP address, to make a configured host work in
the network.
A DHCP client queries the server for the configuration
parameters.
The DHCP server returns configuration parameters to
the client.
100
101. DHCP
DHCP can provide persistent storage of network
parameters for the clients
A client can be assigned with same set of parameters whenever
it bootstraps, or is moved to another subnet
The DHCP server keeps a key-value entry for each client and
uses the entries to match queries from the clients
The entry could be a combination of a subnet address and the
MAC address (or domain name) of a client
DHCP can also assign configuration parameters
dynamically
The DHCP server maintains a pool of parameters and assigns an
unused set of parameters to a querying client
A DHCP client leases an IP address for a period of time. When
the lease expires, the client may renew the lease, or the IP
address is put back to the pool for future assignments
101
102. DHCP Operations
When two DHCP servers are used
1) A client first broadcasts a DHCPDISCOVERY message on its local
physical network during bootstrapping.
The message may be forwarded by relay agents to servers in
other physical networks.
2) Each server may respond with a DHCPOFFER message with an
available network address in the Your IP Address field.
102
103. DHCP Operations
When two DHCP servers are used
3) The client may receives more than one DHCPOFFER messages.
It chooses one server from all responding servers based on the
configuration parameters offered.
The client then broadcasts a DHCPREQUEST message with the
Server Identifier option to indicated the selected server.
103
104. DHCP Operations
When two DHCP servers are used
4) When the DHCPREQUEST message is received, only the chosen
server responds with a DHCPACK message carrying a full set of
configuration parameters to the client.
When the client receives, it checks the parameters and configures
its TCP/IP modules using the parameters.
The message specifies the duration of the lease. When the lease
expires, the client may ask the server to renew it. Otherwise, the
address will be put back in the pool or assigned to other hosts.
104
105. DHCP Operations
When two DHCP servers are used
5) The client may send a DHCPRELEASE message to the server to
relinquish the lease on the network address.
105
107. DHCP Message Fields
Opcode
1 means a boot request from client
2 means a boot reply from server
Hardware Address Type
The values are defined in the ―Assigned Numbers‖ RFC
The value is 1 for an Ethernet MAC address
HW address length
The length of the hardware address
Hop count
Optionally used by relay agents
A relay agent is a host or router that forwards DHCP messages
between DHCP clients and servers
107
108. DHCP Message Fields
Transaction ID
Randomly assigned to link requests and replies between a client
and a server
Number of seconds
Elapsed time in seconds since the client began an address
acquisition or renewal process
Flags
Broadcast flag, the leftmost bit. Used when a client cannot
receive a unicast IP datagram before its interface is configured
Remaining 15 bits must be 0 (reserved for future use)
108
109. DHCP Message Fields
Client IP address
Use when the client is in BOUND, RENEW, and REBINDING
state and can respond to ARP requests
Your IP address
client’s IP address from DHCP server
Server IP address
the IP address of the next server to use in bootstrap
Relay agent IP address
used when booting via a relay agent
109
110. DHCP Message Fields
Client Hw address
The hardware address of the client
For an Ethernet address, the first 6 bytes are filled and the
remaining bytes are set to 0
Server hostname
Hostname of the DHCP server
Boot filename:
Use in a DHCPOFFER message to specify the fully qualified, null
terminated path name of a file to bootstrap from
Options
optional vendor specific field
110
113. Motivation
• IP
o The first defined and used protocol
o De facto the only protocol for global
Internet working
… but there are disadvantages
114. Motivation (cont.)
• IP Routing disadvantages
o Connectionless
- e.g. no QoS
o Large IP Header
- At least 20 bytes
o Routing in Network Layer
- Slower than Switching
o Usually designed to obtain shortest path
- Do not take into account additional metrics
115. Motivation (cont.)
• ATM
o connection oriented
- Supports QoS
o fast packet switching with fixed length
packets (cells)
o integration of different traffic types (voice,
data, video)
… but there are also disadvantages
116. Motivation (cont.)
• ATM disadvantages
o Complex
o Expensive
o Not widely adopted
118. MPLS Basics
• Multi Protocol Label Switching is
arranged between Layer 2 and Layer 3
119. MPLS Basics (cont.)
• MPLS Characteristics
o Mechanisms to manage traffic flows of
various granularities (Flow Management)
o Is independent of Layer-2 and Layer-3
protocols
o Maps IP-addresses to fixed length labels
o Supports ATM, Frame-Relay and Ethernet
121. Label Edge Router - LER
• Resides at the edge of an MPLS
network and assigns and removes
the labels from the packets.
• Support multiple ports connected to
dissimilar networks (such as frame
relay, ATM, and Ethernet).
122. Label Switching Router - LSR
• Is a high speed router in the core on
an MPLS network.
• ATM switches can be used as LSRs
without changing their hardware.
Label switching is equivalent to
VP/VC switching.
124. Label Distribution Protocol - LDP
• An application layer protocol for the
distribution of label binding
information to LSRs.
o It is used to map FECs to labels, which, in
turn, create LSPs.
o LDP sessions are established between LDP
peers in the MPLS network (not
necessarily adjacent).
o Sometimes employs OSPF or BGP.
125. Traffic Engineering
• In MPLS, traffic engineering is inherently
provided using explicitly routed paths.
• The LSPs are created independently,
specifying different paths that are based
on user-defined policies. However, this
may require extensive operator
intervention.
• RSVP-TE and CR-LDP are two possible
approaches to supply dynamic traffic
engineering and QoS in MPLS.
126. MPLS Operation
• The following steps must be taken
for a data packet to travel through
an MPLS domain.
o label creation and distribution
o table creation at each router
o label-switched path creation
o label insertion/table lookup
o packet forwarding
128. Tunneling in MPLS
• Control the entire path of a packet
without explicitly specifying the
intermediate routers.
o Creating tunnels through the intermediary
routers that can span multiple segments.
• MPLS based VPNs.
129.
130. MPLS Advantages
• Improves packet-forwarding
performance in the network
• Supports QoS and CoS for service
differentiation
• Supports network scalability
• Integrates IP and ATM in the
network
• Builds interoperable networks
133. IP is not Secure!
IP protocol was designed in the late 70s to early 80s
Part of DARPA Internet Project
Very small network
All hosts are known!
So are the users!
Therefore, security was not an issue
133
134. Security Issues in IP
source spoofing
replay packets • DOS attacks
• Replay attacks
no data integrity or • Spying
confidentiality • and more…
Fundamental Issue:
Networks are not (and will never be)
fully secure
134
135. Goals of IPSec
to verify sources of IP packets
authentication
to prevent replaying of old packets
to protect integrity and/or confidentiality of
packets
data Integrity/Data Encryption
135
136. IPSec Architecture
ESP AH
Encapsulating Security Authentication Header
Payload
IPSec Security Policy
IKE
The Internet Key Exchange
136
137. IPSec Architecture
IPSec provides security in three situations:
Host-to-host, host-to-gateway and gateway-to-gateway
IPSec operates in two modes:
Transport mode (for end-to-end)
Tunnel mode (for VPN)
137
139. Various Packets
Original IP header TCP header data
Transport IP header IPSec header TCP header data
mode
Tunnel
IP header IPSec header IP header TCP header data
mode
139
140. Authentication Header (AH)
Provides source authentication
Protects against source spoofing
Provides data integrity
Protects against replay attacks
Use monotonically increasing sequence numbers
Protects against denial of service attacks
NO protection for confidentiality!
Use cryptographically strong hash algorithms to protect
data integrity (96-bit)
Use symmetric key cryptography
HMAC-SHA-96, HMAC-MD5-96
140
141. AH Packet Details
New IP header
Next Payload
Reserved
header length
Security Parameters Index (SPI)
Authenticated Encapsulated
Sequence Number
TCP or IP packet
Old IP header (only in Tunnel mode)
TCP header
Hash of everything
else Data
Authentication Data
141
142. Encapsulating Security Payload (ESP)
Provides all that AH offers, and
in addition provides data confidentiality
Uses symmetric key encryption
142
143. ESP Details
Same as AH:
Use 32-bit sequence number to counter replaying attacks
Use integrity check algorithms
Only in ESP:
Data confidentiality:
Uses symmetric key encryption algorithms to encrypt packets
143
144. ESP Packet Details
IP header
Next Payload
Reserved
header length
Security Parameters Index (SPI)
Sequence Number
Authenticated
Initialization vector
TCP header
Data Encrypted TCP
packet
Pad Pad length Next
Authentication Data
144
145. Question?
1. Why have both AH and ESP?
2. Both AH and ESP use symmetric key based algorithms
Why not public-key cryptography?
How are the keys being exchanged?
What algorithms should we use?
Similar to deciding on the ciphersuite in SSL
145
146. Internet Key Exchange (IKE)
Exchange and negotiate security policies
Establish security sessions
Identified as Security Associations
Key exchange
Key management
Can be used outside IPsec as well
146
147. IPsec/IKE Acronyms
Security Association (SA)
Collection of attribute associated with a connection
Is asymmetric!
One SA for inbound traffic, another SA for outbound traffic
Similar to ciphersuites in SSL
Security Association Database (SADB)
A database of SAs
147
148. IPsec/IKE Acronyms
Security Parameter Index (SPI)
A unique index for each entry in the SADB
Identifies the SA associated with a packet
Security Policy Database (SPD)
Store policies used to establish SAs
148
149. How They Fit Together
SPD
SA-1
SA-2
SADB SPI
SPI
149
150. SPD and SADB Example
Transport Mode A’s SPD
From To Protocol Port Policy
A B
C D A B Any Any AH[HMAC-MD5]
Tunnel Mode
From To Protocol SPI SA Record
A’s SADB
A B AH 12 HMAC-MD5 key
From To Protocol Port Policy Tunnel Dest
Asub Bsub Any Any ESP[3DES] D C’s SPD
From To Protocol SPI SA Record
C’s SADB
Asub Bsub ESP 14 3DES key
150
151. How It Works
IKE operates in two phases
Phase 1: negotiate and establish an auxiliary end-to-end
secure channel
Used by subsequent phase 2 negotiations
Only established once between two end points!
Phase 2: negotiate and establish custom secure
channels
Occurs multiple times
Both phases use Diffie-Hellman key exchange to
establish a shared key
151
152. IKE Phase 1
Goal: to establish a secure channel between two end points
This channel provides basic security features:
Source authentication
Data integrity and data confidentiality
Protection against replay attacks
152
153. IKE Phase 1
Rationale: each application has different security
requirements
But they all need to negotiate policies and exchange keys!
So, provide the basic security features and allow
application to establish custom sessions
153
154. Examples
All packets sent to address mybank.com must be encrypted
using 3DES with HMAC-MD5 integrity check
All packets sent to address www.forum.com must use
integrity check with HMAC-SHA1 (no encryption is required)
154
155. Phase 1 Exchange
Can operate in two modes:
Main mode
Six messages in three round trips
More options
Quick mode
Four messages in two round trips
Less options
155
163. Phase 1 (Aggressive Mode)
Initiator Responder
[Header, SA1, KE, Ni, IDi]
[Header, SA2, KE, Nr,
IDr, [Cert]sig]
[Header, [Cert]sig]
First two messages combined into one
(combine Hello and DH key exchange)
163
164. IPSec (Phase 1)
Four different way to authenticate (either mode)
Digital signature
Two forms of authentication with public key encryption
Pre-shared key
NOTE: IKE does use public-key based cryptography for
encryption
164
165. IPSec (Phase 2)
Goal: to establish custom secure channels between two end
points
End points are identified by <IP, port>:
e.g. <www.mybank.com, 8000>
Or by packet:
e.g. All packets going to 128.124.100.0/24
Use the secure channel established in Phase 1 for communication
165
166. IPSec (Phase 2)
Only one mode: Quick Mode
Multiple quick mode exchanges can be multiplexed
Generate SAs for two end points
Can use secure channel established in phase 1
166
167. IP Payload Compression
Used for compression
Can be specified as part of the IPSec policy
Will not cover!
167
169. IPsec Policy
Phase 1 policies are defined in terms of protection
suites
Each protection suite
Must contain the following:
Encryption algorithm
Hash algorithm
Authentication method
Diffie-Hellman Group
May optionally contain the following:
Lifetime
…
169
170. IPSec Policy
Phase 2 policies are defined in terms of proposals
Each proposal:
May contain one or more of the following
AH sub-proposals
ESP sub-proposals
IPComp sub-proposals
Along with necessary attributes such as
Key length, life time, etc
170
171. IPSec Policy Example
In English:
All traffic to 128.104.120.0/24 must be:
Use pre-hashed key authentication
DH group is MODP with 1024-bit modulus
Hash algorithm is HMAC-SHA (128 bit key)
Encryption using 3DES
In IPSec:
[Auth=Pre-Hash;
DH=MODP(1024-bit);
HASH=HMAC-SHA;
ENC=3DES]
171
172. IPsec Policy Example
In English:
All traffic to 128.104.120.0/24 must use one of the
following:
AH with HMAC-SHA or,
ESP with 3DES as encryption algorithm and
(HMAC-MD5 or HMAC-SHA as hashing algorithm)
In IPsec:
[AH: HMAC-SHA] or,
[ESP: (3DES and HMAC-MD5) or
(3DES and HMAC-SHA)]
172
173. IP protocol suite
HTML RT Data
Signalling
SMTP POP, Protocols
IMAP FTP HTTP DNS RTP (e.g. ISUP)
TCP UDP SCTP
IP ICMP RIP OSPF BGP
SLIP PPP ARP
LAN-protocols, ATM, PSTN/ISDN, PLMN …
174. SCTP is used for signalling transport
Signalling Protocol (e.g. ISUP)
SCCP Adapt. pr. Sigtran
Protocol
conversion in SCTP protocols
MTP signalling
gateway (SGW) IP
Phys.
Transport of SS7 type Transport of SS7 type
application protocols application protocols (e.g.
(e.g. ISUP) in SS7 ISUP) over IP network
network using MTP (+ using Sigtran protocols
SCCP)
175. Example: downloading HTML page (1)
User HTML page
Send me
terminal source
HTML page
(Client) (Server)
HTTP Internet service HTTP
TCP provider’s PoP TCP
IP IP IP
PPP PPP ATM ATM
Modem connection and PPP link between user terminal and
ISP’s Point of Presence (PoP) is established. User terminal is
given IP address (dynamic allocation).
176. Example: downloading HTML page (2)
User DNS replies ... HTML page
terminal UDP source
(Client) IP (Server)
Contact DNS ... HTTP
UDP UDP TCP
IP IP IP
PPP PPP ATM ATM
DNS performs translation between URL and IP address of
server (only the latter is used for routing IP packets to the
server).
177. Example: downloading HTML page (3)
User HTML page
terminal source
(Client) (Server)
HTTP Three-way handshaking HTTP
TCP TCP
IP IP IP
PPP PPP ATM ATM
TCP connection is set up. Note that IP packets can be routed
over different bearer networks (like ATM as above) and do not
necessarily follow the same path.
178. Example: downloading HTML page (4)
User HTML page
terminal source
(Client) (Server)
Request
HTTP Reply HTTP
TCP TCP
IP IP IP
PPP PPP ATM ATM
HTTP request (get HTML page) is sent to server. HTTP reply
(including HTML page) is returned in a “200 ok” message.
179. Example: downloading HTML page (5)
User HTML page
terminal source
(Client) (Server)
HTTP Two-way handshaking HTTP
TCP TCP
IP IP IP
PPP PPP ATM ATM
If the client has no more requests, the TCP connection is
cleared.
180. Example: downloading HTML page (6)
User HTML page
terminal source
(Client) (Server)
HTTP HTTP
TCP TCP
IP IP IP
PPP PPP ATM ATM
When requested by the client, the PPP and modem
connections are cleared. (Bearer connections within the
Internet backbone are naturally not cleared.)