Download The Application Layers :On Demand Lecture (Part I)

ON DEMAND LECTURE (PART I)
Dr. Nawaporn Wisitpongphan
ON-DEMAND OUTLINE
 Transition
from IPv4 to IPv6
 NAT & IP Tunnel
 VPN
 Overlay Networks
 VoIP
 Network Management
4TO6
IPV4 TO IPV6 MIGRATION


Interoperability is necessary for gradual
deployment
Solutions #1: Dual Stack Operation
IPv6 nodes also support IPv4 as well. (IPv6/IPv4)
 Use IPv4 datagrams with IPv4 nodes
 If any node along the path is IPv4 node, some information will
be missing.

IPV4 TO IPV6 MIGRATION: TUNNELING

Solutions #2: Tunneling
TUNNELING
HOW DOES TUNNELING WORK?

What is a tunnel?


A virtual link between two network nodes
How does it work?

Encapsulate IPv6 datagram in an IPv4 datagram

The whole packet goes into the payload of IPv4
Create the IPv4 header from the info. In IPv6 header
 IPv4 nodes along the path will not be aware of the
encapsulated IPv6 packet
 The IPv6 receiver has to determine if there is IPv6
datagram in the IPv4 packet received.

NATS AND TUNNELS

NATs originally invented as a way to help
migrate to a hybrid IPv4 IPv6 world
Took on a life of their own
 May have substantially delayed IPv6 deployment by
reducing address pressure!
 You probably encounter them every day


Tunnels: Coming up after NATs.
NETWORK ADDRESS TRANSLATION

NAT maps (private source IP, source port) onto
(public source IP, unique source port)
reverse mapping on the way back
 destination host does not know that this process is happening


Very simple working solution.

NAT functionality fits well with firewalls
A
Priv A IP
B IP
B IP
Priv A IP
A Port
B
B Port
B Port
A Port
Publ A IP
B IP
B IP
Publ A IP
A Port’ B Port
B Port A Port’
TYPES OF NATS

Bi-directional NAT: 1 to 1 mapping between
internal and external addresses.



E.g., 128.237.0.0/16 -> 10.12.0.0/16
External hosts can directly contact internal hosts
Why we use it?



Flexibility. Change providers, don’t change internal addrs.
Need as many external addresses as the number of hosts
“Traditional” NAT: Unidirectional

Basic NAT: Pool of external addresses


Translate source IP address (+checksum,etc) only
Network Address Port Translation (NAPT): What most of us
use


Also translate ports.
 E.g., map (10.0.0.5 port 5555 -> 18.31.0.114 port 22) and
(128.237.233.137 port 5931 -> 18.31.0.114 port 22)
Lets you share a single IP address among multiple computers
TUNNELING

Force a packet to go to a specific
point in the network.


Path taken is different from the
regular routing
Achieved by adding an extra IP
header to the packet with a new
destination address.



IP1
Similar to putting a letter in another
envelope
preferable to using IP source routing
option
IP2
Used increasingly to deal with
special routing requirements or
new features.


Mobile IP,..
Multicast, IPv6, research, ..
Data
IP1 IP2
IP-IN-IP TUNNELING
V/HL



Described in RFC 1993.
IP source and destination
address identify tunnel
endpoints.
Protocol id = 4.


Several fields are copies of
the inner-IP header.


IP
TOS, some flags, ..
Inner header is not
modified, except for
decrementing TTL.
TOS
ID
TTL
Length
Flags/Offset
4
H. Checksum
Tunnel Entry IP
Tunnel Exit IP
V/HL
TOS
ID
TTL
Length
Flags/Offset
Prot.
H. Checksum
Source IP address
Destination IP address
Payload
TUNNELING EXAMPLE
tunnel
A
B
C
D
E
F
G
F
H
I
J
K
a -> b
e -> f
j -> k
A->K
C->F
A->K
Payload
A->K
Payload
Payload
TUNNELING CONSIDERATIONS

Performance.
Tunneling adds (of course) processing overhead
 Tunneling increases the packet length, which may
cause fragmentation

BIG hit in performance in most systems
 Tunneling in effect reduces the MTU of the path, but
end-points often do not know this


Security issues.
Should verify both inner and outer header
 E.g., one-time flaw: send an ip-in-ip packet to a
host. Inner packet claimed to come from “trusted”
host. Bypass firewalls.

TUNNELING APPLICATIONS

Virtual private networks.
Connect subnets of a corporation using IP tunnels
 Often combined with IP Sec



Entire IP packet is encrypted and/or authenticated before
encapsulated
Support for new or unusual protocols.
Routers that support the protocols use tunnels to
“bypass” routers that do not support it
 E.g. multicast


Force packets to follow non-standard routes.
Routing is based on outer-header
 E.g. mobile IP

VPN
WHAT IS VPN?



Virtual Private Network is a type of
private network that uses public
telecommunication, such as the Internet,
instead of leased lines to communicate.
Became popular as more employees
worked in remote locations.
Terminologies to understand how VPNs
work.
TRADITIONAL CONNECTIVITY
[From Gartner Consulting]
PRIVATE NETWORKS VS.
VIRTUAL PRIVATE NETWORKS
 Employees
can access the network (Intranet) from
remote locations.
 Secured
 The
networks.
Internet is used as the backbone for VPNs
 Saves
cost tremendously from reduction of
equipment and maintenance costs.
 Scalability
REMOTE ACCESS VIRTUAL
PRIVATE NETWORK
(From Gartner Consulting)
BRIEF OVERVIEW OF HOW IT
WORKS




Two connections – one is made to the Internet
and the second is made to the VPN.
Datagrams – contains data, destination and
source information.
Firewalls – VPNs allow authorized users to pass
through the firewalls.
Protocols – protocols create the VPN tunnels.
FOUR CRITICAL FUNCTIONS
Authentication – validates that the data was sent from the
sender.
 Access control – limiting unauthorized users from
accessing the network.
 Confidentiality – preventing the data to be read or copied
as the data is being transported.
 Data Integrity – ensuring that the data has not been
altered

ENCRYPTION

Encryption -- is a method of “scrambling” data
before transmitting it onto the Internet.

Public Key Encryption Technique

Digital signature – for authentication
TUNNELING
A virtual point-to-point connection
made through a public network. It transports
encapsulated datagrams.
Original Datagram
Encrypted Inner Datagram
Datagram Header
Outer Datagram Data
Area
Data Encapsulation [From Comer]
Two types of end points:
 Remote Access
 Site-to-Site
FOUR PROTOCOLS USED IN VPN

PPTP -- Point-to-Point Tunneling Protocol

L2TP -- Layer 2 Tunneling Protocol

IPsec -- Internet Protocol Security

SOCKS – is not used as much as the ones above
VPN ENCAPSULATION OF PACKETS
TYPES OF IMPLEMENTATIONS
What does “implementation” mean in VPNs?
3 types
Intranet – Within an organization
 Extranet – Outside an organization
 Remote Access – Employee to Business

VIRTUAL PRIVATE NETWORKS (VPN)
BASIC ARCHITECTURE
DEVICE TYPES: HARDWARE

Usually a VPN type of router
Pros
Cons
• Highest network throughput
• Cost
• Plug and Play
• Lack of flexibility
• Dual-purpose
DEVICE TYPES: FIREWALL

More security?
Pros
Cons
• “Harden” Operating System
• Still relatively costly
• Tri-purpose
• Cost-effective
DEVICE TYPES: SOFTWARE
Ideal for 2 end points not in same org.
 Great when different firewalls implemented

Pros
Cons
• Flexible
• Lack of efficiency
• Low relative cost
• More labor training
required
• Lower productivity;
higher labor costs
ADVANTAGES
VS.
DISADVANTAGES
ADVANTAGES: COST SAVINGS
Cost Saving
Eliminating the need
for expensive longdistance leased lines
 Reducing the longdistance telephone
charges for remote
access.
 Transferring the
support burden to the
service providers
 Operational costs

Scalability

Flexibility of growth
CISCO VPN SAVINGS CALCULATOR
DISADVANTAGES
VPNs require an in-depth understanding of
public network security issues and proper
deployment of precautions
Availability and performance depends on
factors largely outside of their control
Immature standards
VPNs need to accommodate protocols other
than IP and existing internal network
technology
APPLICATIONS: SITE-TO-SITE
VPNS
Large-scale encryption between multiple fixed
sites such as remote offices and central offices
Network traffic is sent over the branch office
Internet connection
This saves the company hardware and
management expenses
SITE-TO-SITE VPNS
APPLICATIONS: REMOTE ACCESS
 Encrypted
connections between mobile or
remote users and their corporate networks
 Remote user can make a local call to an ISP, as
opposed to a long distance call to the corporate
remote access server.
 Ideal for a telecommuter or mobile sales
people.
 VPN allows mobile workers & telecommuters
to take advantage of broadband connectivity.
i.e. DSL, Cable
INDUSTRIES THAT MAY USE A VPN

Healthcare: enables the transferring of confidential patient
information within the medical facilities & health care provider

Manufacturing: allow suppliers to view inventory & allow clients
to purchase online safely

Retail: able to securely transfer sales data or customer info
between stores & the headquarters

Banking/Financial: enables account information to be
transferred safely within departments & branches

General Business: communication between remote employees
can be securely exchanged
STATISTICS FROM GARTNER-CONSULTING*
Remote access for
employees working out
of homes
90%
Remote access for
employees while
traveling
79%
Percentages
Site-to-site connectivity
between offices
Access to network for
business
partners/customers
0%
63%
50%
20%
40%
60%
% of Respondents
*Source: www.cisco.com
80%
100%
WHERE DO WE SEE VPNS GOING IN
THE FUTURE?
VPNs are continually being enhanced.
Example: Equant NV
As the VPN market becomes larger, more applications
will be created along with more VPN providers and
new VPN types.
Networks are expected to converge to create an
integrated VPN
Improved protocols are expected, which will also
improve VPNs.
OVERLAY
NETWORKS
OVERLAY NETWORKS

A network “on top of the network”.

E.g., initial Internet deployment



Tunnels between nodes on a current network
Examples:


Internet routers connected via phone lines
 An overlay on the phone network
The IPv6 “6bone”, the multicast “Mbone” (“multicast
backbone”).
But not limited to IP-layer protocols…

Can do some pretty cool stuff:
OVERLAY NETWORKS: APPLICATIONS
Application Layer multicast : Transmit data
stream to multiple recipients
 Peer-to-Peer networks
 Anonymizing overlays


Route data through lots of peers to hide source
The Onion Router (users can communicate anonymously)
Messages are repeatedly encrypted and sent through several
onion routers
 Each onion router removes a layer of encryption to uncover
routing instructions, and sends the message to the next router
where this is repeated



Design Question: When are overlays good?

Functionality between small(er) group of people w/out requiring global
state/changes/etc.
ONION ROUTER
MUTIPROTOCOL LABEL
SWITCHING
WHAT IS MPLS?

Protocol that directs/carries data from one network
node to the next
Create “virtual links” between distant nodes
End-to-End circuit across any type of transport medium,
using any protocol
 Eliminate dependency on link layer technology, e.g., ATM,
Frame Relay, SONET, or Ethernet, etc.
 Provide connection-oriented services for variable-length
frames



Encapsulate packets of various network protocols


Routing?


Data packets are assigned labels
Based on the contents in the label (no need to examine the
packet itself)
Application:

Can be used to create VPN (MPLS VPN)
BASIC MODEL FOR MPLS NETWORK
Internet
LER
LER
LSR
IP
LSR
MPLS
LSR
MPLS
LSR
LER
LSR = Label Switched Router
LER = Label Edge Router
IP
MPLS VS VPN
NEED FOR MULTIPROTOCOL LABEL
SWITCHING (MPLS)

Forwarding function of a conventional router
a capacity demanding procedure
 constitutes a bottle neck with increase in line speed


MPLS simplifies forwarding function

a connection oriented mechanism inside the
connectionless IP networks
50
LABEL SWITCHING
Decomposition of network layer routing into control
and forwarding components applicable
 Label switching forwarding component algorithm
uses

Forwarding table
 Label carried in the packet


What is a Label ?: Short fixed length entity
A 20-bit label value.
 A 3-bit Traffic Class field for QoS (Quality of Service) priority
(experimental) and ECN (Explicit Congestion Notification).
 A 1-bit bottom of stack flag. If this is set, it signifies that the
current label is the last in the stack.
 An 8-bit TTL (Time to Live) field

51
MPLS BASICS
A Label Switched Path (LSP) is set up for each
route
 A LSP for a particular packet P is a sequence of
routers,

<R1,R2………..Rn>
for all i, 1< i < n: Ri transmits P to R[i+1] by means
of a label

Edge routers
Analyze the IP header to decide which LSP to use
 Add a corresponding local Label Switched Path
Identifier, in the form of a label
 Forward the packet to the next hop

52
MPLS BASICS CONTD..

Subsequent nodes
just forward the packet along the LSP
 simplify the forwarding function greatly
 increase performance and scalability dramatically

New advanced functionality for QoS,
differentiated services can be introduced in the
edge routers
 Backbone can focus on capacity and performance
 Routing information obtained using a common
intra domain routing protocol such as OSPF

53
MPLS BENEFITS
Comparing MPLS with existing IP core and
IP/ATM technologies, MPLS has many
advantages and benefits:
 The performance characteristics of layer 2
networks
 The connectivity and network services of layer 3
networks
 Improves the price/performance of network layer
routing
 Improved scalability
54
MPLS BENEFITS CONTD..
Improves the possibilities for traffic engineering
 Supports the delivery of services with QoS
guarantees
 Avoids need for coordination of IP and ATM
address allocation and routing information

55
NETWORK
MANAGEMENT
NETWORK MANAGEMENT

Configuration management


How do I deal with all of these hosts?!
Network monitoring

What the heck is going on on those links?
AUTOCONFIGURATION

Adress Space Problem: It’s a pain to re-address


IP address, netmask, gateway, hostname, etc., etc.


Affects allocation size, ease of switching ISPs, etc.
Manual Input: Typing by hand: Ugh!
IPv4 option 1: RARP (Reverse ARP)
Data-link protocol
 Uses ARP format. New opcodes: “Request reverse”, “reply reverse”
 Send query: Request-reverse [ether addr], server responds with IP


IPv4 option 2: DHCP
Dynamic Host Configuration Protocol
 ARP is fine for assigning an IP, but is very limited
 DHCP can provide the kitchen sink

DHCP
DHCPDISCOVER - broadcast
DHCPOFFER
DHCPREQUEST
DHCPACK

DHCPOFFER




IP addressing information
Boot file/server information (for network booting)
DNS name servers
Lots of other stuff - protocol is extensible; half of the options reserved for local site definition
and use.
DHCP FEATURES

Lease-based assignment


Clients can renew. Servers really should preserve this information
across client & server reboots.
Provide host configuration information
Not just IP address stuff.
 NTP servers, IP config, link layer config,
 X window font server (wow)


Use:
Generic config for desktops/dialin/etc.
 Assign IP address/etc., from pool
 Specific config for particular machines
 Central configuration management

IPV6 AUTOCONFIGURATION

Serverless (“Stateless”). No manual config at all.


Only configures addressing items, NOT other host things
 If you want that, use DHCP.
Link-local address
1111 1110 10 :: 64 bit interface ID (usually from Ethernet addr)
 (fe80::/64 prefix)
 Uniqueness test (“anyone using this address?”)
 Router contact (solicit, or wait for announcement)
 Contains globally unique prefix
 Usually: Concatenate this prefix with local ID -> globally unique
IPv6 ID


DHCP took some of the wind out of this, but nice for “zeroconf” (many OSes now do this for both v4 and v6)
SLIDES FOR FURTHER INTEREST
Management is still not too well defined
 Understanding network status, responding
intelligently, etc
 Managing configurations


How do you “program” the network?
MANAGEMENT: MONITORING

What to do when there is a problem?


How do you know how busy your network is?


Where are the bottlenecks, is it time for an upgrade, redirect traffic,
..
How can you spot unusual activity?


Loss of connectivity, complaints of slow throughput, ..
Somebody attacking a subnet, ..
These are all hard problems that are typically addressed
using multiple tools, but the ability to monitor network
status is a common requirement.
“Static” information: what is connected to what?
 Dynamic information: what is the throughput on that link?

COMMON MONITORING TOOLS

SNMP

Simple Network Management Protocol
Device status
 5 minute traffic average on outbound links
 Amount of disk space used on server
 Number of users logged in to modem bank
 Etc.
 Device alerts
 Line 5 just went down!


Netflow

Detailed traffic monitoring
 Break down by protocol/source/etc.
 (“Who’s serving 5 terabytes of briney spars photos??”)
SIMPLE NETWORK MANAGEMENT
PROTOCOL (SNMP)

Protocol that allows clients to read and write management
information on network elements.



Routers, switches, …
Network element is represented by an SNMP agent
Information is stored in a management information base
(MIB).
Have to standardize the naming, format, and interpretation of each
item of information
 Ongoing activity: MIB entries have to be defined as new technologies
are introduced


Different methods of interaction supported.



Query response interaction: SNMP agent answers questions
traps: agent notifies registered clients of events
Need security: authentication and encryption.
MANAGEMENT INFORMATION BASE
-
MIB

Information is represented
in an object tree.
To identify information you
specify a path to a leaf
 Can extend MIB by adding
subtrees
 Different standard bodies can
expand different subtrees
 E.g. Ethernet and ATM
groups are independent
Root


ITU-T
Existing standard
How is information stored?
How is information encoded
on the wire (transfer syntax)
Other
...
Uses ASN.1 standard for
data representation.



ISO
MIB-2
System Interface IP
EGP
SNMP
ICMP
ARP
TCP
other
UDP
WHAT CAN WE MONITORED?

System:




Interfaces:



Routing table
How many datagram it has successfully forwarded?
Statistics about datagram reassembly
How many datagrams got dropped? For what reason?
TCP:





Physical Address of each Interface
How many packets have been sent/received?
IP:





Where the node is located?
How long it has been up?
The system’s name?
The number of passive/active opens?
The number of resets?
The number of timeouts?
Default Timeout settings?
UDP:

Total number of UDP datagrams sent/received
WIRESHARK DEMO
PRESENTATION/REPORT GRADING
SCHEME

Presentation [30 pts]





DO NOT just read from the slides
What it is?
Where do we see this technology?
How does it work?
Challenges/Future
Final Report [30 pts]
 Q/A [40 pts]

Questioning your classmates [20 pts]
 Answering Questions [20 pts]

*** What you/your friends present WILL BE
in the final!!!!