Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Netware - The University of New Mexico
Document related concepts
Transcript
Introduction to NetWare
Presented By
Louella R. Phillips
© Copyright 1997, The University of New Mexico
F-1
Introduction to NetWare
• History of NetWare
– The first version of NetWare, called ShareNet, was in 1983.
– Developed by IBM shortly after the IBM personal computer was
introduced.
– Developed so that microcomputers could share access to files stored on
central file servers.
– NetWare is the most widely used network operating system because of its
stability and speed.
– Novell has continued to improve NetWare by releasing many versions
such as 4.11, 3.x and 2.x.
© Copyright 1997, The University of New Mexico
F-2
How does NetWare Connect
your PC to the Network?
• NetWare uses special software called NetWare
requester.
• NetWare requester resides on the PC rather than on a
file server.
• The connection is established from the PC to the
network. This process involves two steps: attaching,
and logging in.
– Attaching establishes a link between the PC and the file server.
– Logging in allows the user to access file servers and other network
resources, such as shared printers.
© Copyright 1997, The University of New Mexico
F-3
How does NetWare Connect your
PC to the Network (cont.) ?
• PC network adapter cards broadcast a request over
the network cable system asking a file server to
respond.
• Your PC is linked or attached to the first file server
that answers.
• The NetWare requester stays in the memory of your
PC and serves as the software link between the PC’s
operating system and NetWare.
• NetWare requester next provides you with a way to
log in to the network.
© Copyright 1997, The University of New Mexico
F-4
How can NetWare provide
you with security ?
• Controlling Logins and Passwords
– The administrator creates a login name for each user which permits them
to login to the server.
– The user will be required to use a password each time they login.
– Login is the first step to use the network resources, without the login
name, your access to the network will be denied, second step is your
password.
• Controlling Trustee Security and Rights
– NetWare has features called trustee security which grants various levels
of control to access a directory.
– As trustee, the user can have access to files in a particular directory.
– Rights such as read, write, create, erase, etc.
© Copyright 1997, The University of New Mexico
F-5
NetWare makes the network
easy to use
– NetWare makes file server disks look like local disks to your PC.
– NetWare MAP command lets you assign the drive letter of your choice to
any disk, directory, or subdirectory on any file server that you are logged
in to.
– NetWare allows you to create a login script that automatically sets up
your drive.
– NetWare allows you to use all standard DOS and OS/2 commands on the
file server disks for file manipulation and movement among directories.
– NetWare includes a powerful menu-building utility for DOS users, Menus
are an excellent way to make programs and printers easy to use.
– NetWare uses Requester to play an important role in printing a
document on the network by sending the print job to the file server as a
print-job file instead of sending it to the workstation’s printer port.
© Copyright 1997, The University of New Mexico
F-6
Novell’s Windows NT
Integration strategy
• Internetware Client for Windows NT.
– Internetware allows the client with Windows NT 4.1, Windows NT
workstation 3.51 and 4.0, access to NetWare services such as printing,
security, management, and messaging services through Novell’s Directory
Service (NDS).
• Novell Workstation Manager.
– Novell workstation manager allows you to manage Windows NT
workstation 3.51 and 4.0 user accounts through NDS. You do not have to
maintain these user accounts in the Windows NT workstation Security
Access Manager (SAM) database or the Windows NT server domain
database. You can now create an NT workstation object in NDS and
associate User, Group, or Organization objects with that object.
© Copyright 1997, The University of New Mexico
F-7
Novell’s Windows NT
Integration strategy
• Novell Application Launcher.
– Novell Application Launcher(NAL) has been enhanced for use with
Windows NT workstation 3.51 and 4.0. Using the NetWare Administrator
utility, you can create objects in the NDS tree to represent applications
that are located on Internetware, NetWare 4, or Windows NT servers.
• Managewise Agents for Windows NT.
– Managewise agents for Windows NT work with Managewise 2.1 to
integrate Windows NT servers and workstations with your overall
network management system. These agents can collect real-time and longterm performance and alarm information about your Windows NT
servers.
© Copyright 1997, The University of New Mexico
F-8
Novell’s Windows NT
Integration strategy
• GroupWise 5 for Windows NT.
– GroupWise 5 has been enhanced to integrate with Windows NT server
3.51 and 4, including running on IntranetWare and Unix platforms.
– GroupWise 5 also provides integration with Microsoft Exchange clients,
you can use GroupWise Message Server at the back end.
– GroupWise WebAccess allows you to access the GroupWise 5 services
from a World-Wide-Web (WWW) browser, as well as allowing you to run
IntranetWare WWW server and Windows NT WWW server.
• NDS for Windows NT.
– Novell is implementing NDS natively on Windows NT server and plans to
release this product later this year, NDS is also being made available on
various UNIX platforms.
© Copyright 1997, The University of New Mexico
F-9
Novell vs. NT
• NetWare Pros:
– Centralized Management (one single graphical point of administration for
the entire network, NDS)
– Lower Administration Costs (an IDC study found NetWare 22% less
expensive to administer than NT
– File and Print Services (PC Week published NetWare outperforms NT by
59% with loads above 30 clients, automatic file-by-file data compression,
data migration, disk space, quotas for individual users, block
suballocation, and high capacity storage systems support, as well as NDS
print services. NT is missing all of these.
© Copyright 1997, The University of New Mexico
F-10
Novell vs. NT
• NT Pros:
– Cost of OS and Client connections (NT is considerably less expensive not
only for the OS but also per user).
– Hardware Compatibility (NT has more drivers)
– Futuristic Issues (NT has more tools and applications being developed)
• Issues of stability, installation and upgrades become
cloudy and involve many variables such as:
– level of hardware
– knowledge of Administrators
© Copyright 1997, The University of New Mexico
F-11
Factors Convincing
Customers to buy NetWare.
• Novell’s Overall performance
– Novell’s customers gave high marks for product effectiveness,
product price, and ease of doing business.
• Novell’s Sales and Marketing Strategy.
– Novell’s sales and marketing strategy focused on the following:
1 Their marketing sales and marketing information available on the
Internet, NetWare user groups, and at trade shows.
2 Novell provides educational training courses about their product
at a low price
3 Advertising such as trade publications, web publications, and web
advertising
© Copyright 1997, The University of New Mexico
F-12
Factors Convincing
Customers to buy NetWare.
• Your Product Selection Process.
– NetWare performance.
– Its Flexibility and Stability.
– Novell’s reputation as a market leader, technology innovator, and
developer of quality products.
– NetWare meets the needs of future computing.
• Your Purchasing Plans
– 95% of the customers said they will purchase NetWare because of
its reliability, security, and ease of use.
– 83% of the customers plan to purchase or upgrade to Intranet
Ware or another version of NetWare within the next 12 months for
the above reasons.
© Copyright 1997, The University of New Mexico
F-13
What makes Novell an
Industry Leader?
• Novell has $1 billion in cash, $ 1 billion a year in
revenue, almost 5,000 employees worldwide,
and a very strong brand.
• NetWare has a user base of 65 million plus.
GroupWise has shot up to more than 8 million
users.
• Novell is a viable company and knows
networking.
• Novell’s reputation as a market leader,
technology innovator, and developer of quality
products.
F-14
© Copyright 1997, The University of New Mexico
What are Novell’s
advertising plans for the
next six months
• Novell is focusing on advertising.
• The new marketing manager tends to be
focused on publications that make a difference
to their customers such as trades publications,
various web publications, and web advertising.
• Novell’s new marketing managers are to be
more engaged with industry analysts,
consultants, and trade press editors to help
them make up a lot of the opinion leaders about
Novell in general.
© Copyright 1997, The University of New Mexico
F-15
What are Novell’s advertising plans
for the next six months (cont.)
• New management released that the most
important things about advertising, is
consistency to target their customer.
• New management believes that Novell
understands networking very well, therefore
releasing new products on time, such as
Border-Manager and GroupWise(5.2), makes
them very competitive in the market.
• Talking to the developers and customers about
their products can develop their marketing
plan.
F-16
© Copyright 1997, The University of New Mexico
IPX Protocol
• Netware uses the IPX protocol to send and
receive information on the network.
• IPX is provided by the IPXODI.COM driver.
• IPX is a protocol similar to IP from the TCP\IP
world.
• It is a datagram protocol, meaning that it does
not provide for much error checking.
• It sends a packet and assumes that it was
received.
© Copyright 1997, The University of New Mexico
F-17
IPX Protocol and Routing
• Network addresses are assigned to a network
by a router or similar device.
• A network address in the IPX world is 8
hexadecimal digits.
• Hexadecimal is denoted by a leading 0x
• In a single network with no routers your network
address would be 0x00000000 by default.
© Copyright 1997, The University of New Mexico
F-18
IPX/ODI Stack
• Older versions of NetWare used the IPX
protocol in a single driver which had the
network interface card driver linked into it.
• To provide greater functionality, Novell
developed the ODI stack which is divided into
layers.
• The lower layer is the ODI LAN driver, also
known as the MLID(eg. NE2000.com).
© Copyright 1997, The University of New Mexico
F-19
IPX/ODI Stack (cont.)
• This driver is responsible for providing access
to the hardware itself.
• Depending on your network, you may want to
select from four different frame types:
–
–
–
–
Ethernet_802.3 (old default)
Ethernet_802.2 (new default)
Ethernet_II
Ethernet_SNAP
© Copyright 1997, The University of New Mexico
F-20
IPX/ODI Stack (cont.)
• The next layer up is the ODI Link Support Layer
(LSL).
• Though it is the second layer up, it is loaded
first in the STARTNET.BAT to give the LAN
driver a place to link.
• The LSL enables the workstation to load several
different communication protocols and use
them simultaneously.
© Copyright 1997, The University of New Mexico
F-21
IPX/ODI Stack (cont.)
• On top of LSL is the protocol stack used by
Netware, IPX.
• It is loaded as part of the IPXODI.COM driver.
• It provides IPX\SPX services to applications that
resides above it and hooks into the LSL to
obtain access to the hardware.
• On top of IPX are the applications that use it.
They include SERVER.EXE, CLIENT.EXE,
NET.EXE, etc.
© Copyright 1997, The University of New Mexico
F-22
•
•
•
•
•
•
•
•
IPX: Addresses, data packets
RIP, SAP, NLSP
NCP, Packet burst
TCP over IPX
NDS
IP/IPX Gateway/Firewall
Mobile IPX
NetWare Network Security
© Copyright 1997, The University of New Mexico
F-23
What is IPX?
•
•
•
•
“Internetworking Packet Exchange”
Derived from Xerox’s SPX
Data packet format and addressing
Performs same function as IP (connectionless,
best effort, routable protocol
© Copyright 1997, The University of New Mexico
F-24
The story begins with the
Data Link Layer
• LANS (e.g., Ethernet) are multiaccess link
• To transmit on a LAN, you need a header which contains a
source and destination address
• A “routable” packet on Ethernet has two
headers: Ethernet and IPX (or IP, or Appletalk, or CLNP, etc.)
• The LAN source and destination are ultimate source and
destination Ethernet hdr IPX hdr data
m
q
R2
R2
z
S
© Copyright 1997, The University of New Mexico
D
F-25
802 Addresses
OUI
group/individual
globally/locally assigned
• Assigned in blocks of 2
• Given 23 byte constant (Organizationally Unique Identifier),
plus group/individual bit
• Address all 1’s intended to mean “broadcast”,
i.e., “everyone”, which is nonsense. Really each protocol
should use its own multicast address to mean all nodes that
speak that protocol
© Copyright 1997, The University of New Mexico
F-26
Multi-Lingual
Environments
• You cans speak lots of things (IP, CLNP, IPX, Appletalk, etc.)
• Someone hands you a pile of bits. What is it?
-
Maybe we were careful -- yeah, right
Maybe we were lucky -- yeah, right
• Conclusion: not enough information in the packet header to
differentiate -- need an extra field in the data link header to say
what it is
-
protocol type: well-known (globally administered) values, one field in
header
SAP (service access point) or socket: locally administered, on for dest, on
for source
Don’t confuse “SAP” with IPX’s Service Advertisement Protocol!
© Copyright 1997, The University of New Mexico
F-27
Packet HDRs on CSMA/CD
Ethernet
8
6
6
pream dest dest
2
46-1500
pt
4
data
fcs
802.3
8
6
pream dest
6
2
dest
ln
1
1
dsap saap
1 43-1497 4
ctl
data
fcs
Format of SAP
G/I G/L
© Copyright 1997, The University of New Mexico
F-28
How the SAPs work
•
•
•
•
•
•
•
Notice the “global/local” bit -- those SAPs are globally assigned! If
you are a very privileged protocol, and obtain one of these, you’d set
DSAP=SSAP= your assigned SAP value
How does it work if you’re not a privileged protocol? Uh…
World class kludge -- get a SAP value assigned to mean
“underprivileged protocol”. Called SNAP SAP (SubNetwork Access
Protocol), and it =aa hex.
If DSAP=SSAP=aa hex, then after CTL is a protocol type field
The protocol types 5 bytes long
Convention: 0.0.0protocol type allows 2 octet Ethertypes to fit into 5
octets
Confused? You’re in good company
© Copyright 1997, The University of New Mexico
F-29
IPX
2
2
checksum
1
1
transport ctl (hop ct)
4
dest net
6
2
dest node
pkt length
pkt type
dest socket
4
6
src node
2
src socket
src net
• Note : checksum isn’t implemented and is set to FFFF
hex. Good thing. Why? See next slide.
© Copyright 1997, The University of New Mexico
F-30
IPX on CSMA/CD
• Ethernet format. Protocol type=8137 hex
• Raw 802.3 --- leave out all multiplexing! Start IPX packet where
DSAP should be, so checksum covers DSAP and SSSAP
• SNAP ---DSAP=SSAP=SNAP (aa hex), protocol type=0.0.081.37
• 802.2 --- DSAP=LSAP=E0 hex
Cope with multiple formats by treating LAN as multiple logical
LANs, and routers translate formats
R
A
R
b
© Copyright 1997, The University of New Mexico
A
b
F-31
6
6
dst
Ethernet
2
src 8137
IPX packet
“Raw 802.3”
6
6
2
dst
src
Inth
IPX packet
802.2 format
6
6
2
1
1
1
43-1497
dest
src
ln
EO
EO
3
IPX packet
6
6
2
dest
src
ln
SNAP format
1
1
1
EO
© Copyright 1997, The University of New Mexico
EO
3
5
43-1497
0.0.0.81.37 IPX packet
F-32
Defined Packet Types
0 -- unknown packet type
1 -- RIP
2 -- reserved (was Echo protocol)
3 -- reserved (was Error handler)
4 -- “packet exchange packet” used by most
things (like SAP, TCP over IPX
5 -- SPX
17 -- NCP
20 -- Flooded (used for Netbios)
© Copyright 1997, The University of New Mexico
F-33
Assigned Sockets
451 (hex) NCP
452 SAP
453 RIP
455 Netbios
456 Diagnostics
4000-7FFF Dynamically assigned
8000-FFFF Novell assigned
9001 NLSP
9004 IPX Wan version 2
© Copyright 1997, The University of New Mexico
F-34
Addresses
• 802 addresses have no geographic hints --like routing to social
security number -- known as “flat address”
• Generic hierarchical address: locator.node
locator
node
• IP, IPX, Appletalk: locator is specific to a LAN
• CLNP, DECnet Ph4, (maybe IPv6) locator is entire region called
an “area” -- could be single LAN but can be bigger
© Copyright 1997, The University of New Mexico
F-35
Comparative Addresses
4 bytes
Boundary depends on
mask
IP
IPX
4
6
2 bytes total
6 bits area
10 bits node
DECnet Ph IV
Appletalk
CLNP
IPv6
2
up to 14
1
6
8
© Copyright 1997, The University of New Mexico
8
?
F-36
IP
• Each node configured with (address, mask)
• Can tell if someone is no same LAN If:
(your addr. AND mask) = (dst.addr AND mask)
• IF on same LAN, still need LAN address
• Use ARP protocol -- broadcast “who has IP
address…”, target replies (everyone else
ignores)
© Copyright 1997, The University of New Mexico
F-37
IPX
Endnodes autoconfigure based on IEEE address
Ask router for 4 byte network number
Fill in IEEE address in bottom 6 bytes
Someone is on you LAN if net # matches
No ARP! Use bottom 6 bytes as IEEE address
Better than IP:
-
more net #s
autoconfigures
No ARP overhead
So why this misconceptions that IPX is “LAN-only”, “doesn’t
scale”, etc.?
© Copyright 1997, The University of New Mexico
F-38
Endnode Operation
• Ask routers (via broadcast DL address) to get LAN # in
the beginning
• To talk to N.X, if N is your net #, talk directly
(using DL address x).
• To talk to N.x where N is not your net, ask routers
“who can get me to net N?”
• Routers that have a path to N (other than on link from
which query arrived) respond
• Use that router to get to N
© Copyright 1997, The University of New Mexico
F-39
Internal Network Number
x
net #57
S
R
y
net #29
C
S has two possible addresses: 57.x and 29.y
If S chooses 57.x C, will ask routers for “57”
both R and S respond
If C chooses R, packets go extra hop
Solution: Internal network number
© Copyright 1997, The University of New Mexico
F-40
Internal Network Number
x
“net” 91
S
R
net #57
y
net #29
C
• S chooses address 91.1
• S will respond to RIP query
© Copyright 1997, The University of New Mexico
F-41
New Topic: Routing
Algorithms
• Want to build “forwarding database”: table of (dest, nbr)
• Two types of routing alg: distance vector (e.g., RIP), link
state (e.g., NLSP)
© Copyright 1997, The University of New Mexico
F-42
Distance Vector Routing
•
You know the following:
–
–
–
your own ID
how many cables hanging off you box
the cost of going through that cable to what ever is at the end
cost 3
cost 2
•
•
#j
#m
#k
#n
cost 2
cost 7
Purpose of routing algorithm: come up with forwarding database, telling you which
neighbor to send to for each possible destination
Do this by exchanging distance vectors, which tells transmitters distance to each
destination
© Copyright 1997, The University of New Mexico
F-43
cost 3
cost 2
You are destination #4
dest # 1
2
3
#j
#m
#k
#n
7 8
4
5
6
cost 2
cost 7
9
10
11
Distance vector received from cable j
3
12
3 15
3 12
5
6 18
0
7 15
4 20
5
0 15
2
4
7
8 12 11
3
2
Distance vector received from cable k
2
5
8
3
2 10
7
Distance vector received from cable m
2
0
5
3
2 19
9
5 22
Distance vector received from cable n
7
6
2
0
7
8
5
your own calculated distance vector
2
6
5
0 12
8
6 19
3
2
9
your forwarding table
m j
m
© Copyright 1997, The University of New Mexico
0k
j
k
n
j
k
n
F-44
Looping Problem
B
A
V
X
K
J
C
S
W
B
Z
slow link
D
© Copyright 1997, The University of New Mexico
F-45
Split Horizon
•
•
•
•
Alleviates (does not solve!) looping problem
Many variants
Don’t announce path to D on link L if some other router on L is
announcing a better path on L
If only keep single “best path”, then the link L on which you forward to D
is the only one split horizon applies
3-rtr loop
B
A
A
B
C
Split horizon solves
C
D
Split horizon does not solve
© Copyright 1997, The University of New Mexico
F-46
IPX-RIP
•
•
•
•
•
•
•
Not the best possible distance vector protocol
IPX’s RIP is similar to IP’s RIP
Send distance vector periodically (60 sec)
Only remember best path. Forget it if not reminded (180 sec)
IPX-RIP has two metrics: hops, and ticks (supposedly delay, units of 1/18ths of sec):
dest
A
hops
5
(ticks)
7
port
1
DL add
a
age
2
B
12
17
2
c
37
X
3
3
1
a
15
G
6
7
1
d
1
Best path used ticks. Hops for count-to-infinity (infinity=16)
events: time, route reported (> = or <)
© Copyright 1997, The University of New Mexico
F-47
IPX RIP
•
•
•
First comes LAN header, (p-type or SAP=IPX)
Then IPX hdr, pkt type=1, socket=453 Hex
Then RIP info. Up to 50 nets per packet
2 bytes
•
operation
4
2
net #
2
ticks
4
net #
2
2
hops
hops
ticks
1=req, 2=resp
these three
fields repeat
up to 50 times
final net #
announcement
In query: net=FFFFFFFF means “all”
© Copyright 1997, The University of New Mexico
F-48
“Default Route”
•
•
•
•
Original version of IPX : if path to D not known, drop packet
Then “default route” got added
Net #-2 (FF FF FF FE) means “default”
If don’t have path to D, but have path to -2, then route towards -2
backbone
R2
R1
•
•
R2 announces to R1 that it can reach “-2”
Can configure filtering rules per link, and where to advise -2
© Copyright 1997, The University of New Mexico
F-49
IPX Packet Type 20
97
R
8
•
•
•
•
•
22
15
Receive, on LAN 97: packet type 20 with path:
6,71,8,11,97
Forward onto LAN 22:6,71,8,11,97,22
Forward onto LAN 15:6.71.8.11.97.15
Don’t forward onto LAN 8
Exponential # of pkts
© Copyright 1997, The University of New Mexico
F-50
Compatible Fix
• Called “reverse path forwarding”
• Only accept packet type 20 from source S from
neighbor N if N is best path towards S
• Changes exponential into n squared
• Each router only floods packet once
© Copyright 1997, The University of New Mexico
F-51
SAP (Service Advertisement
Protocol
• Nothing to do with Data Link SAP for multiplexing!!!
• Similar to RIP, but advertises service names rather than net #s
• Up to 7 services per SAP packet
operation
Service type
Service name
IPX full address
hops
Service type
Service name
IPX full address
hops
© Copyright 1997, The University of New Mexico
2
2
48
12
2
2
48
12
2
F-52
Fascinating SAP Facts
• Operations:
1
2
3
4
= query for all of a certain type (or type FFFF)
= response to 1 or periodic broadcast
= get nearest server request
= get nearest server reply
•
“Nearest server” wasn’t well specified -- now specified that it
is based on RIP ticks
• Split horizon wasn’t well specified -- now based on SAP hops
• Service types: 3=print queue, 4=file server, 5=job server,
7=print server, 9=archive server,24=remote bridge
sever,47=advertising print sever
© Copyright 1997, The University of New Mexico
F-53
Filtering SAP
Suppose you want to filter, but still give
authorized users access to everything
S1
R1
R1 filters all but S1
X can log into S1 to find other services
X
© Copyright 1997, The University of New Mexico
F-54
Bindery
• Database on Server in NetWare 2 and 3x
• Contains all services learned from SAP (and aged if not
refreshed)
• Contains configured entries
• Scanned by client using NCP “scan bindery object”
• Specify service type (or FFFF) and name (which can contain
wildcard * and/or?)
• Another problem: Not all servers the same. Sometimes
“preferred server” not reachable from “nearest”. Also, pretty
silly to get “nearest” and then query bindery for preferred.
• Result: more specific SAP query was added recently
© Copyright 1997, The University of New Mexico
F-55
More Specific SAP Query
• Two queries 12(decimal) for “all”, and 14. For “nearest”
• Response to 12 is 13. Response to 14 is 15
• Responses have same format as today’s Requests (12 and 14)
have following format:
operation
Service type
Service name
Net #
Net mask
Service type
Service name
Net #
Net mask
2
2
48
4
4
2
48
4
4
• All fields can be specific, partially, or fully wildcarded
© Copyright 1997, The University of New Mexico
F-56
NLSP
• Link State routing protocol
• Almost the same as IS-IS. Similar to OSPF.
• Replaces RIP and SAP, but is compatible with
RIP/SAP routers
• Endnodes can’t tell the difference (NLSP still
answers RIP and SAP queries)
© Copyright 1997, The University of New Mexico
F-57
Link State Routing
•
•
Meet your neighbors
Construct Link State Packet (LSP)
–
–
•
•
•
who you are
list of (neighbor, cost) pairs
Broadcast the LSP to all routers
Store latest LSP from every other node
Compute routes
–
1
2
3
Edsgar Dijkstra’s algorithm
Put (SELF,0) on tree as Root
Look at LSP of node just placed on tree. If for any node N the cost is best path of any found
so far, add (N,c) to tree under N with dotted line
Make shortest dotted line solid. Go to 2.
© Copyright 1997, The University of New Mexico
F-58
Example Dijkstra
Calculation
6
A
B 2 C 5
1
2
2
A
B
C
D
E
F
G
B/6
A/6
B/2
A/2
B/1
C/2
C/5
D/2
C/2
F/2
E/2
D/2
E/4
F/1
E/1
G/5
F/4
G/1
C(0)
B(2)
C(0)
F(2)
G(5)
4 F 1 G
2E
D
B(2)
C(0)
F(2)
G(5)
© Copyright 1997, The University of New Mexico
F(2)
B(2)
G(5)
E(4)
G(3)
F-59
C(0)
C(0)
F(2)
B(2)
G(3)
E(4)
A(8)
A(8)
F(2)
E(3)
A(8)
G(3)
C(0)
F(2)
E(3)
G(3)
G(3)
A(8)
© Copyright 1997, The University of New Mexico
E(3)
G(3)
F(2)
C(0)
E(3)
G(3)
D(5)
A(7)
D(5)
F(2)
D(5)
C(0)
B(2)
A(8)
E(3)
B(2)
D(5)
B(2)
E(4)
C(0)
C(0)
B(2)
F(2)
B(2)
F(2)
B(2)
A(8)
E(3)
G(3)
D(5)
F-60
Meeting your Neighbors
• Pt-pt link: Say who you are. Negotiate protocol
(NLSP or RIP), measures delay/throughput and
calculate costs, client can be assigned address
• LAN
– multicast Hello
– List other routers you’ve heard (check 2-way connectivity)
– Elect “Designated Router)
© Copyright 1997, The University of New Mexico
F-61
Designated Router
• Wasteful if every router on LAN has big LSP
describing LAN (router nbrs, services, etc.)
• DR names the LAN (its 6 byte ID plus 1 byte),
say FOO.25
• Routers on LAN simply claim to be connected to
FOO.25
• DR sends an additional LSP from FOO.25,
giving all the info for the LAN
© Copyright 1997, The University of New Mexico
F-62
LAN LSPs
R1.25
R1
R5
R2 R3 R4
R1
R2
R3
R4
R5
R1.25
R1.25
R1.25
R1.25
R1.25
© Copyright 1997, The University of New Mexico
R1.25
R1
R2
R3
R4
R5
other
LAN
info,
E.g.
SAP
F-63
Details of NLSP
•
Three types of packets
–
–
–
•
•
•
LSP
Hello
Sequence Numbers Packet (SNP)
LSP lists neighbors. DR generates on behalf of LAN (pseudonode)
Hello coordinates with neighbors
SNP summarizes LSP database. Partial SNP (PSNP) acks LSP(s). Complete
SNP (CSNP) gives all LSPs within a specified range.
–
–
PSNP used on pt-pt links as LSP ack
CSNP used on LAN by DR to summarize LSP database. No explicit acks to specific LSPs. If
CSNP indicates discrepancy, ask for missinb info, or transmit DR’s missing info
© Copyright 1997, The University of New Mexico
F-64
Summarizing addresses
• How can you specify a bunch of network numbers compactly?
– “all net numbers with 1st byte=5”
– “all net numbers between 31b82cf1 and 378291fc”
– “all net numbers that when masked with ff000000=5000000”
• IP uses (address, mask) pairs
• I prefer prefixes. More compact, no temptation or opportunity
to do noncontiguous masks
• First version of NLSP didn’t do summarizing, so every net
number had to be independently advertised
• Now NLSP has summarization capability
© Copyright 1997, The University of New Mexico
F-65
Areas
• LISPS are only sent within an area
• An area has a name consisting of up to 3 (net, mask) pairs
• It is best if all addresses in the area match one of the area
addresses, and no addresses outside the area match
• Purpose of area addresses:
• To assure neighbors agree on area, so that areas don’t
accidentally merge
• Used as default summary for area
• Filtering of SAP and routes, and summarization of network
numbers, can be done at area boundaries
© Copyright 1997, The University of New Mexico
F-66
Info Leaking Between
Areas
•
Original NLSP document said connect areas via RIP or static
configuration!
R1
R2
•
The right way: run multiple instances of NLSP on a router
R
R1
R2
•
Only boundary routers need to be able to run multiple instances of NLSP
© Copyright 1997, The University of New Mexico
F-67
Route Aggregation
• We’ve added the ability to summarize addresses into
NLSP
• A summary looks like (1 byte length, 4 byte address)
• Length is number of 1’s that would be in the mask if it
were a mask
• A router on the boundary introduces a summary
• A summary can be passed from area to area
• The summary includes an “area-count” to limit how far it
spreads
• Summaries work with filtering: “don’t advertise anything
of the form 5.*. Advertise the summary 5.*”
© Copyright 1997, The University of New Mexico
F-68
Default Route
•
•
Special case summary that matches everything
We’ve added default route to RIP
–
–
network number -2
RIP router: if deist not reachable, but -2 is reachable, route towards -2
R3
R4
R1
backbone
R2
•
NLSP has several ways of doing default:
–
–
–
LSP says “I am a level 2 router”
destination -2
zero length prefix
© Copyright 1997, The University of New Mexico
F-69
SAP Info
• LSP contains SAP information
• Only one router (the one closest to service) puts
SAP info into LSP
• The SAP info does not need to be periodically
broadcast, and only one router transmits it, so it
saves bandwidth and memory
• Of course we still support endnodes that do
SAP queries, and we generate SAP to RIP router
neighbors
© Copyright 1997, The University of New Mexico
F-70
Coexistence with RIP/SAP
RIP
R2
NLSP
R1
• R1 takes all dests and services learned through LSPs in NLSP
and reports each in a RIP update to R2. R1 takes all RIP/SAP
info learned from R2 and reports those as “external
destinations” in its LSP within NLSP.
• R1 can be configured to report default route to RIP, and will be
configurable to report ranges instead of individual network
numbers, into NLSP (but not into RIP)
© Copyright 1997, The University of New Mexico
F-71
Large Nets with NLSP
R
R2
R1
• LSP can report “I can reach this range of
addresses”
• Implementation can run two instances of NLSP,
so that areas can be linked through NLSP rather
than through RIP.
© Copyright 1997, The University of New Mexico
F-72
Basic topology:
R5
R1
R2
R6
RIP
R3
R4
backbone
• R1 tells backbone a range. Backbone just tells * to R1
(when in doubt send to me). R6 reports default route (-2) to
RIP. R6 configured with a summary to report from RIP into
NLSP cloud.
• Backbone less info --- range from each cloud
© Copyright 1997, The University of New Mexico
F-73
When will we have “level
2” NLSP?
•
•
•
Never. It’s not needed
The ability to do route summarization and leak info between areas gives a
very flexible and scalable topology
More flexible and scalable than OSPF topology. OSPF limited to areas
connected by a single backbone
•
We can connect little circles, have more levels of hierarchy, multiple
backbones, etc.
© Copyright 1997, The University of New Mexico
F-74
Example
*
72*
6*
617*
© Copyright 1997, The University of New Mexico
52*
527*
F-75
Additional Flexibility
•
•
•
•
Range option (length of prefix in bits, 4 byte address) contains field “areacount”
Each time a range learned and passed on to another area, area-count is
decremented
If it reaches 0, it is not passed further
This allows connecting areas without using them as through-paths
*
5*
52*
7*
51*
72*
527*
© Copyright 1997, The University of New Mexico
784*
F-76
Summary of NLSP
•
•
•
•
•
NLSP is more efficient routing protocol than RIP
It allows more hops
It coexists with RIP/SAP
It alleviates SAP overhead
The more routers converted to NLSP, the lower
the overhead
• With route aggregation and area info leaking,
arbitrary number of levels of hierarchy
© Copyright 1997, The University of New Mexico
F-77
Address Assignment
•
Global
–
–
–
–
–
•
you get address from one organization and then you “own” it
this way you can hook Intranets together and addresses won’t collide
But addresses should be summarizable (not just unique)
IP now realizes addresses should be “rented”, not “owned”
People HATE renumbering (even thought IPX is a lot easier to renumber than IP)
Local
–
you assign addresses within your own net as you please. Renumbering is necessary
whenever merging with another net.
© Copyright 1997, The University of New Mexico
F-78
IPX Address Registry
•
•
•
•
Only recently has there been a registry of IPX addresses so you can get
unique addresses
So there’s zillions of little IPX intranets, with overlapping address space
Easier to renumber than IP, but people still hate it
Mapping from IP to globally unique IPX:
IP
a
b
c
d
a
b
C
IPX
0
© Copyright 1997, The University of New Mexico
F-79
SPX
•
•
•
•
•
•
•
•
“Sequenced Packet Exchange”, derived from XNS SPP
End-to-end reliable (Transport layer) protocol.
Functionally similar to TCP
But not as good! Window size of 1, no pkt size negotiation (586
byte packets)
SPX-2 an improvement, but not trivial to replace SPX, because
API changed
APX-2 is compatible on the wire -- two nodes communicate
and if they can both speak SPX-2 they speak SPX-2, otherwise
SPX
SPX header after IPX header
Each msg is numbered, and if not ack’d it is retransmitted
© Copyright 1997, The University of New Mexico
F-80
SPX Packet Format
IPX header (pkt type=5)
30
Connection ctl
1
data stream type
1
source conn.ID
2
dest conn.ID
2
sequence #
2
ack #
2
allocation number
2
data
© Copyright 1997, The University of New Mexico
F-81
SPX Fields
• Connection control: flags
–
–
–
–
–
–
–
–
bit #0: SPX-2 extended header (ignored by SPX)
1: reserved (Xmit as 0, ignore on receipt)
2: ignored by SPX, means “negotiate size” for SPX-2
3: ignored by SPX, indicates this is SPX-2
4: end of msg (user bit)
5: ignored by SPX, “attention” in SPX-2
6: send ack after this pkt (always 1 for SPX)
7: System packet (does not consume seq #)
© Copyright 1997, The University of New Mexico
F-82
More SPX Fields
• Data stream type
FE: end of connection. For graceful disconnect
FF: acks end of connection
00-7F: user-defined values. Can be used internally by the application
for submultiplexing, transaction code, etc.
• Connection Ids: each side assigns its own.
Dest conn. ID set to FFFF on conn. Req
• Sequence number: independently assigned in each
direction. Wraps to 0000 after FFFF
• Ack #: next pkt expected from other side
© Copyright 1997, The University of New Mexico
F-83
More SPX Fields
• Allocation #:
– highest seq # this side able to accept.
– Most implementation announce # of buffers for IPX socket, which is wrong
(if multiple SPX connections sharing IPX socket).
– That’s why Novell’s SPX transmitter doesn’t take advantage of window
size>1
• Negotiation Size
–
–
–
–
–
Only present in SPX-2
But even SPX-2 leaves it out of connection request (for SPX compatibility)
After negotiation, still send test pkt
Routers will truncate or drop
Size is min (yours, other side’s, network’s)
© Copyright 1997, The University of New Mexico
F-84
Window Size
•
•
•
•
In SPX-2 can have window sizes bigger than 1
server starts at 8
client starts at 3
based on internal heuristics, size change
© Copyright 1997, The University of New Mexico
F-85
NCP
•
•
•
•
Special purpose reliable Transport protocol
Client requests. Server responds
Originally one pkt requests, one pkt response
If response too big for a packet, client had to break it into multiple
requests:
–
–
•
•
•
req first hunk of data: get back data+pointer
req data starting from pointer: returned more data plus next pointer, etc.
Then “packet burst” was added, wherein a long (up to 64K) multip-packet
response is sent “all at once”
It is rate based, (different from standard window with acks every few
packets)
Missing fragments are explicitly requested (rather than ack’ing received
ones)
© Copyright 1997, The University of New Mexico
F-86
NCP Packet Format
(though it varies for some
calls)
IPX header (pkt type=17,
30
socket=451)
function code
2
sequence #
1
conn # low
1
task #
1
conn # hi
1
completion code
1
status flags
1
© Copyright 1997, The University of New Mexico
F-87
Description of NCP Fields
• Function code one of: (1111=create service connection),
(2222=service request), (3333=service response),
(5555=destroy a service connection), (7777=packet burst),
(9999=previous request still being processed)
• connection # should have been 2 bytes. They realized that
too late. Set to 0 by client and assigned by server.
• Task # allows up to 255 tasks to share a single connection
• completion code nonzero indicates error
• status flags: (bit 0=bad service), (2=no conn available),
(4=server down), (6=server has a broadcast msg pending
for the client)
© Copyright 1997, The University of New Mexico
F-88
NCP with Burst
IPX header (pkt type=17, socket=451)
30
function code=7777
flags
2
2
source conn id
4
dest conn #
4
send delay
4
burst seq #
2
ACK seq #
2
total burst
4
offset into burst of this data
4
packet size
2
# of fragment entries
2
missing fragment list
(4 byte file offset, 2 byte length
© Copyright 1997, The University of New Mexico
6n
F-89
TCP/UDP over IPX
• Documented in RFC 1791
• IPX pkt type 4, socket 9091 =TCP, socket 9092 =UDP
• An additional header (called IPXF) is added to allow
IPX fragmentation. Using IPXF allows packets up to
64K
• Anything requiring fragmentation can run over IPXF
• IPXF uses socket 9093. The real socket is contained
in the additional header
© Copyright 1997, The University of New Mexico
F-90
IPXF
IPX header (socket-9093)
30
fragment offset
packet ID
2
4
destination socket
2
datagram length (in 8 octet units) 2
© Copyright 1997, The University of New Mexico
F-91
IP/IPX Gateway
Internet (using IP)
X
G
A
IPX
• A talks only IPX. Sees all Internet hosts as appearing on
G’s IPX address. A establishes a TCP connection to G. G
figures out the actual IP address of the destination, and
opens a TCP connection to X. If the TCP port to X is n, G
remembers that n goes with its IPX-TCP connection to A.
© Copyright 1997, The University of New Mexico
F-92
Mobile IPX
• Mobile host: has software in it to make applications think its
address is always a constant
– finds MR
– Asks for address from MR. Keeps MR informed when it moves
• Mobile router
–
–
–
–
–
advertises itself through SAP
assigns MH a permanent address
keeps track of MH’s current physical address
receives packets destined to MH
Redirects them to MH’s current physical address
• Correspondent Host: unaware that its’ talking to a MH rather
than an ordinary IPX node
© Copyright 1997, The University of New Mexico
F-93
Mobile IPX
MR
CH
•
•
•
•
•
•
•
MH
Let’s say MR’s internal net # is 6
MH has physical address, say, net.ID
Will be assigned a permanent address like 6.31
CH receives packets from source address 6.31.
CH sends too 6.31. MR receives and forwards to “net.ID”
IF MH moves to (net2.ID2), it informs MR
Mobility simpler withIPX than IP, since no need for foreign agent (since in IPX MH
can always easily get an address)
© Copyright 1997, The University of New Mexico
F-94
NDS
•
•
•
•
•
•
•
•
•
Similar to telephone directory
Partitioning (not all numbers in one book)
Hierarchical names (like file system)
Replication (same directory can be stored in multiple
locations)
Based on X.500
A partition is a set of directories in a connected portion of
the tree which must be replicated as a unit
One master replica
Multiple writable and read-only replicas
Replicas have to periodically synchronize
© Copyright 1997, The University of New Mexico
F-95
Security
• Three types of crypto algorithms
– secret key (one shared key)
– public key (two keys per user, one public,
private
– message digest (irreversible hash)
© Copyright 1997, The University of New Mexico
one kept
F-96
NetWare 3X Authentication
• A secret key scheme
User1
client
“Alice”
h(pwd1)=x1
Random #R
User2
h(R,x Alice)
h(pwd2)=x2
• It’s slightly more complicated than that since “x” is really
h(pwd, userID), and server needs to first tell client machine
userID so that client machine can calculate x)
• Have to configure user and “x” at every server the user has
rights to log into
© Copyright 1997, The University of New Mexico
F-97
Packet Signatures
• Someone demo’d “session hijacking”
• Somewhat unfairly, Netware got lots of bad press for
that
• Solution was “packet signature”
• Client and sever compute h(R, x, constant), and use
that as a “session key”
• The “signature” is like a checksum, but it depends on
the beginning of the packet and the session key, so
without knowing the session key you can’t hijack the
session
© Copyright 1997, The University of New Mexico
F-98
Public Key Authentication
Alice
Alice
Bob
R
R “signed” with Alice’s
private key
Verify using
Alice’s public
key
• How does Alice know her private key?
• How does Bob know Alice’s public key?
© Copyright 1997, The University of New Mexico
F-99
Getting Alice’s Private Key
• Alice can’t simply remember a 500 bit number
• A secret key can be directly derived from the password, but a
private key had to be a very special number
• Could carry it around on a floppy or smart card (encrypted with
password)
• Could store it (encrypted) on a file on Alice’s workstation
• Could store it in a convenient place on the network (like NDS)
encrypted with Alice’s password
• NetWare v4 stores it encrypted in NDS
• To prevent off-line password guessing, WS has to prove to
NDS that the WS knows the user’s password before NDS will
send the encrypted private key
© Copyright 1997, The University of New Mexico
F-100
(somewhat simplified)
Initial Login to NDS
Alice
WS
NDS
User
public key
Name, pwd
Calculates
S
Alice
{prv key{
pwd
MD (pwd)=S
R
MD(S, R)
Encrypted private
key
© Copyright 1997, The University of New Mexico
F-101
Less Simplified
NDS
WS
Alice
R, salt
Computes
X=MD (pwd, salt)
Y=MD (X,R)
{Y, R2}NDS’s pub
key
Verifies Y
{encrypted priv key XOR
Y
R2}
© Copyright 1997, The University of New Mexico
F-102
Login Steps
•
•
•
•
•
Alice types her name and password to WS
WS proves to NDS that it knows Alice’s password
NDS give WS Alice’s encrypted private key
WS decrypts private key with Alice’s password
WS turns Alice’s private RSA key into a signature-only
key K
• WS forgets Alice’s password and RSA key
• To log into server Bob, WS users K, Bob verifies using
Alice’s public key
© Copyright 1997, The University of New Mexico
F-103
