* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Review for final - Computer Science Division
Survey
Document related concepts
Point-to-Point Protocol over Ethernet wikipedia , lookup
Network tap wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Airborne Networking wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Computer network wikipedia , lookup
Wireless security wikipedia , lookup
Internet protocol suite wikipedia , lookup
Zero-configuration networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Transcript
Announcement Take-home final Final can be picked up in my office (Room 356) starting Monday, 3/14, 10am-11:59am Final should be returned by Thursday 3/17, 11:59am Closed Book One 8.5” by 11” sheet of paper permitted (single side) Cover network layer, data link layer and network security Last class CDMA and IEEE 802.11 wireless LANs Network security Today Network security (cont.) Review for final What is network security? Confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message content not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users The language of cryptography Alice’s K encryption A key plaintext encryption algorithm ciphertext Bob’s K decryption B key decryption plaintext algorithm symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) Public Key Cryptography symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never “met”)? public key cryptography radically different approach [DiffieHellman76, RSA78] sender, receiver do not share secret key public encryption key known to all private decryption key known only to receiver Public key cryptography + Bob’s public B key K K plaintext message, m encryption ciphertext algorithm + K (m) B - Bob’s private B key decryption plaintext algorithm message + m = K B(K (m)) B Public key encryption algorithms Requirements: 1 2 + need K ( ) and K - ( ) such that B B - + K (K (m)) = m B B . . + given public key KB , it should be impossible to compute private key KB + Also, given K (m) and B + B K (.) it should be impossible to determine m RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). + KB - KB RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute e e c = m mod n (i.e., remainder when m is divided by n) 2. To decrypt received bit pattern, c, compute d m = c d mod n (i.e., remainder when c is divided by n) Magic d m = (m e mod n) mod n happens! c RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. encrypt: decrypt: letter m me l 12 1524832 c 17 d c 481968572106750915091411825223071697 c = me mod n 17 m = cd mod n letter 12 l RSA: Why is that m = (m e mod n) d mod n Useful number theory result: If p,q prime and n = pq, then: y y mod (p-1)(q-1) x mod n = x mod n e (m mod n) d mod n = medmod n = m ed mod (p-1)(q-1) mod n (using number theory result above) 1 = m mod n (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m RSA: another important property The following property will be very useful later: - + B B K (K (m)) + = m = K (K (m)) B B use public key first, followed by private key use private key first, followed by public key Result is the same! Overview What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” “I am Alice” Failure scenario?? Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice Authentication: another try Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address Alice’s “I am Alice” IP address Failure scenario?? Authentication: another try Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address Alice’s IP address Trudy can create a packet “spoofing” “I am Alice” Alice’s address Authentication: another try Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s Alice’s “I’m Alice” IP addr password Alice’s IP addr OK Failure scenario?? Authentication: another try Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s Alice’s “I’m Alice” IP addr password Alice’s IP addr OK playback attack: Trudy records Alice’s packet and later plays it back to Bob Alice’s Alice’s “I’m Alice” IP addr password Authentication: yet another try Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Alice’s encrypted “I’m Alice” IP addr password Alice’s IP addr OK Failure scenario?? Authentication: another try Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Alice’s encrypted “I’m Alice” IP addr password Alice’s IP addr OK Alice’s encrypted “I’m Alice” IP addr password record and playback still works! Authentication: yet another try Goal: avoid playback attack Nonce: number (R) used only once –in-a-lifetime ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R KA-B(R) Failures, drawbacks? Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Authentication: ap5.0 ap4.0 requires shared symmetric key can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography “I am Alice” R Bob computes + - - K A (R) “send me your public key” + KA KA(KA (R)) = R and knows only Alice could have the private key, that encrypted R such that + K (K (R)) = R A A ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) I am Alice R I am Alice R K (R) T K (R) A Send me your public key + K T Send me your public key + K A - + m = K (K (m)) A A + K (m) A Trudy gets - + m = K (K (m)) T Alice sends T m to encrypted with Alice’s public key + K (m) T ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well! Overview What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. public Internet administered network firewall Firewalls: Why prevent denial of service attacks: SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) two types of firewalls: application-level packet-filtering Packet Filtering Should arriving packet be allowed in? Departing packet let out? internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP SYN packets. Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Application gateways Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. host-to-gateway telnet session application gateway gateway-to-remote host telnet session router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. Limitations of firewalls and gateways IP spoofing: router can’t know if data “really” comes from claimed source if multiple app’s. need special treatment, each has own app. gateway. client software must know how to contact gateway. e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP. tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks. Overview What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures Internet security threats Mapping: before attacking: “case the joint” – find out what services are implemented on network Use ping to determine what hosts have addresses on network Port-scanning: try to establish TCP connection to each port in sequence Countermeasures? Internet security threats Mapping: countermeasures record traffic entering network look for suspicious activity (IP addresses, pots being scanned sequentially) Internet security threats Packet sniffing: broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets C A src:B dest:A Countermeasures? payload B Internet security threats Packet sniffing: countermeasures all hosts in organization run software that checks periodically if host interface in promiscuous mode. one host per segment of broadcast media (switched Ethernet at hub) C A src:B dest:A payload B Internet security threats IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B C A src:B dest:A Countermeasures? payload B Internet security threats IP Spoofing: ingress filtering routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network) great, but ingress filtering can not be mandated for all networks C A src:B dest:A payload B Internet security threats Denial of service (DOS): flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A C A SYN SYN SYN SYN SYN B Countermeasures? SYN SYN Internet security threats Denial of service (DOS): countermeasures filter out flooded packets (e.g., SYN) before reaching host: throw out good with bad traceback to source of floods (most likely an innocent, compromised machine) C A SYN SYN SYN SYN SYN B SYN SYN Review (1) Network Layer Virtual Circuits and Datagram Networks Routing Principles • Link State Algorithm • Distance Vector Algorithm The • • • • • • Internet (IP) Protocol IPv4 addressing Datagram format IP fragmentation ICMP: Internet Control Message Protocol IPv6 NAT: Network Address Translation Review (2) Routing in the Internet • • • • Hierarchical routing RIP OSPF BGP Data link layer Introduction and services Error detection and correction Multiple access protocols • TDMA/FDMA • Random Access Protocols • “Taking Turns” Protocols Link-Layer Addressing Ethernet Hubs and switches Mobile and wireless networks, CDMA IEEE 802.11 wireless LANs Review (3) What is network security? Principles of cryptography Symmetric Key Public Key Authentication Protocol evolution Access control: firewalls Attacks and counter measures Packet sniffing IP spoofing DoS attacks Routing Algorithm classification Global or decentralized information? Global: all routers have complete topology, link cost info “link state” algorithms Decentralized: router knows physicallyconnected neighbors, link costs to neighbors iterative process of computation, exchange of info with neighbors “distance vector” algorithms Static or dynamic? Static: routes change slowly over time Dynamic: routes change more quickly periodic update in response to link cost changes Dijsktra’s Algorithm 1 Initialization: 2 N' = {u} 3 for all nodes v 4 if v adjacent to u 5 then D(v) = c(u,v) 6 else D(v) = ∞ 7 8 Loop 9 find w not in N' such that D(w) is a minimum 10 add w to N' 11 update D(v) for all v adjacent to w and not in N' : 12 D(v) = min( D(v), D(w) + c(w,v) ) 13 /* new cost to v is either old cost to v or known 14 shortest path cost to w plus cost from w to v */ 15 until all nodes in N' Dijkstra’s algorithm: example Step 0 1 2 3 4 5 N' u ux uxy uxyv uxyvw uxyvwz D(v),p(v) D(w),p(w) 2,u 5,u 2,u 4,x 2,u 3,y 3,y D(x),p(x) 1,u 2 u 2 1 x 3 w 3 1 5 1 y D(z),p(z) ∞ ∞ 4,y 4,y 4,y 5 v D(y),p(y) ∞ 2,x 2 z Distance vector algorithm (1) Basic idea: Each node periodically sends its own distance vector estimate to neighbors When a node x receives new DV estimate from neighbor, it updates its own DV using B-F equation: Dx(y) ← minv{c(x,v) + Dv(y)} for each node y ∊ N Under minor, natural conditions, the estimate Dx(y) converge the actual least cost dx(y) Distance Vector Algorithm (2) Iterative, asynchronous: each local iteration caused by: local link cost change DV update message from neighbor Distributed: Each node: wait for (change in local link cost of msg from neighbor) each node notifies neighbors only when its DV changes neighbors then notify their neighbors if necessary The algorithm doesn’t know the entire path – only knows the next hop recompute estimates if DV to any dest has changed, notify neighbors Dx(y) = min{c(x,y) + Dy(y), c(x,z) + Dz(y)} = min{2+0 , 7+1} = 2 node x table cost to x y z x ∞∞ ∞ y ∞∞ ∞ z 71 0 from from from from x 0 2 7 y 2 0 1 z 7 1 0 cost to x y z x 0 2 7 y 2 0 1 z 3 1 0 x 0 2 3 y 2 0 1 z 3 1 0 cost to x y z x 0 2 3 y 2 0 1 z 3 1 0 cost to x y z from from from x ∞ ∞ ∞ y 2 0 1 z ∞∞ ∞ node z table cost to x y z x 0 2 3 y 2 0 1 z 7 1 0 cost to x y z cost to x y z from from x 0 2 7 y ∞∞ ∞ z ∞∞ ∞ node y table cost to x y z cost to x y z Dx(z) = min{c(x,y) + Dy(z), c(x,z) + Dz(z)} = min{2+1 , 7+0} = 3 x 0 2 3 y 2 0 1 z 3 1 0 time x 2 y 7 1 z The Internet Network layer Host, router network layer functions: Transport layer: TCP, UDP Network layer IP protocol •addressing conventions •datagram format •packet handling conventions Routing protocols •path selection •RIP, OSPF, BGP forwarding table ICMP protocol •error reporting •router “signaling” Link layer physical layer IP datagram format IP protocol version number header length (bytes) “type” of data max number remaining hops (decremented at each router) upper layer protocol to deliver payload to how much overhead with TCP? 20 bytes of TCP 20 bytes of IP = 40 bytes + app layer overhead 32 bits head. type of length ver len service fragment 16-bit identifier flgs offset upper time to Internet layer live checksum total datagram length (bytes) for fragmentation/ reassembly 32 bit source IP address 32 bit destination IP address Options (if any) data (variable length, typically a TCP or UDP segment) E.g. timestamp, record route taken, specify list of routers to visit. IP Addressing: introduction IP address: 32-bit identifier for host, router interface interface: connection between host/router and physical link router’s typically have multiple interfaces host may have multiple interfaces IP addresses associated with each interface 223.1.1.1 223.1.2.1 223.1.1.2 223.1.1.4 223.1.1.3 223.1.2.9 223.1.3.27 223.1.2.2 223.1.3.2 223.1.3.1 223.1.1.1 = 11011111 00000001 00000001 00000001 223 1 1 1 Subnets IP address: subnet part (high order bits) host part (low order bits) What’s a subnet ? device interfaces with same subnet part of IP address can physically reach each other without intervening router 223.1.1.1 223.1.2.1 223.1.1.2 223.1.1.4 223.1.1.3 223.1.2.9 223.1.3.27 223.1.2.2 LAN 223.1.3.1 223.1.3.2 network consisting of 3 subnets IP addressing: CIDR Before CIDR: only 8-, 16-, and 24- bit masks were available (A, B, and C class networks) CIDR: Classless InterDomain Routing subnet portion of address of arbitrary length address format: a.b.c.d/x, where x is # bits in subnet portion of address subnet part host part 11001000 00010111 00010000 00000000 200.23.16.0/23 NAT: Network Address Translation rest of Internet local network (e.g., home network) 10.0.0/24 10.0.0.4 10.0.0.1 10.0.0.2 138.76.29.7 10.0.0.3 All datagrams leaving local network have same single source NAT IP address: 138.76.29.7, different source port numbers Datagrams with source or destination in this network have 10.0.0/24 address for source, destination (as usual) NAT: Network Address Translation 2: NAT router changes datagram source addr from 10.0.0.1, 3345 to 138.76.29.7, 5001, updates table 2 NAT translation table WAN side addr LAN side addr 1: host 10.0.0.1 sends datagram to 128.119.40, 80 138.76.29.7, 5001 10.0.0.1, 3345 …… …… S: 10.0.0.1, 3345 D: 128.119.40.186, 80 S: 138.76.29.7, 5001 D: 128.119.40.186, 80 138.76.29.7 S: 128.119.40.186, 80 D: 138.76.29.7, 5001 3: Reply arrives dest. address: 138.76.29.7, 5001 3 1 10.0.0.4 S: 128.119.40.186, 80 D: 10.0.0.1, 3345 10.0.0.1 10.0.0.2 4 10.0.0.3 4: NAT router changes datagram dest addr from 138.76.29.7, 5001 to 10.0.0.1, 3345 Hierarchical Routing Our routing study thus far - idealization all routers identical network “flat” … not true in practice scale: with 200 million destinations: can’t store all dest’s in routing tables! routing table exchange would swamp links! administrative autonomy internet = network of networks each network admin may want to control routing in its own network Hierarchical Routing aggregate routers into regions, “autonomous systems” (AS) routers in same AS run same routing protocol “intra-AS” routing protocol routers in different AS can run different intraAS routing protocol Gateway router Direct link to router in another AS Interconnected ASes 3c 3a 3b AS3 1a 2a 1c 1d 1b Intra-AS Routing algorithm 2c AS2 AS1 Inter-AS Routing algorithm Forwarding table 2b Forwarding table is configured by both intra- and inter-AS routing algorithm Intra-AS sets entries for internal dests Inter-AS & Intra-As sets entries for external dests Routing in the Internet Routing in the Internet Intra-AS routing: RIP and OSPF Inter-AS routing: BGP RIP ( Routing Information Protocol) Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric: # of hops (max = 15 hops) # of hops: # of subnets traversed along the shortest path from src. router to dst. subnet (e.g., src. = A) u v A z C B D w x y destination hops u 1 v 2 w 2 x 3 y 3 z 2 RIP advertisements Distance vectors: exchanged among neighbors every 30 sec via Response Message (also called advertisement) Each advertisement: list of up to 25 destination nets within AS OSPF (Open Shortest Path First) “open”: publicly available Uses Link State algorithm LS packet dissemination Topology map at each node Route computation using Dijkstra’s algorithm Link costs configured by the network administrator OSPF advertisement carries one entry per neighbor router Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than TCP or UDP OSPF “advanced” features (not in RIP) Security: all OSPF messages authenticated (to prevent malicious intrusion) Multiple same-cost paths allowed (only one path in RIP) For each link, multiple cost metrics for different TOS (e.g., satellite link cost set “low” for best effort; high for real time) Integrated uni- and multicast support: Multicast OSPF (MOSPF) uses same topology data base as OSPF Hierarchical OSPF in large domains. Hierarchical OSPF Hierarchical OSPF Two-level hierarchy: local area, backbone. Link-state advertisements only in area each node has detailed area topology; Area border routers: “summarize” distances to nets in own area, advertise to other Area Border routers. Backbone routers: run OSPF routing limited to backbone. Boundary routers: connect to other AS’s. Internet inter-AS routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: 1. 2. 3. Obtain subnet reachability information from neighboring ASs. Propagate the reachability information to all routers internal to the AS. Determine “good” routes to subnets based on reachability information and policy. Allows a subnet to advertise its existence to rest of the Internet: “I am here” BGP basics Pairs of routers (BGP peers) exchange routing info over TCP conections: BGP sessions Note that BGP sessions do not correspond to physical links. When AS2 advertises a prefix to AS1, AS2 is promising it will forward any datagrams destined to that prefix towards the prefix. AS2 can aggregate prefixes in its advertisement 3c 3a 3b AS3 1a AS1 2a 1c 1d 1b 2c AS2 2b eBGP session iBGP session Path attributes & BGP routes When advertising a prefix, advert includes BGP attributes. prefix + attributes = “route” Two important attributes: AS-PATH: contains the ASs through which the advert for the prefix passed: AS 67 AS 17 NEXT-HOP: Indicates the specific internal-AS router to next-hop AS. (There may be multiple links from current AS to next-hop-AS.) When gateway router receives route advert, uses import policy to accept/decline. Why different Intra- and Inter-AS routing ? Policy: Inter-AS: admin wants control over how its traffic routed, who routes through its net. Intra-AS: single admin, so no policy decisions needed Scale: hierarchical routing saves table size, reduced update traffic Performance: Intra-AS: can focus on performance Inter-AS: policy may dominate over performance Data Link Layer Some terminology: hosts and routers are nodes communication channels that connect adjacent nodes along communication path are links wired links wireless links LANs layer-2 packet is a frame, encapsulates datagram data-link layer has responsibility of transferring datagram from one node to adjacent node over a link “link” Link Layer Services Framing, link access: encapsulate datagram into frame, adding header, trailer channel access if shared medium “MAC” addresses used in frame headers to identify source, dest • different from IP address! Reliable delivery between adjacent nodes we learned how to do this already (chapter 3)! seldom used on low bit error link (fiber, some twisted pair) wireless links: high error rates • Q: why both link-level and end-end reliability? MAC Protocols: a taxonomy Three broad classes: Channel Partitioning divide channel into smaller “pieces” (time slots, frequency, code) allocate piece to node for exclusive use Random Access channel not divided, allow collisions “recover” from collisions “Taking turns” Nodes take turns, but nodes with more to send can take longer turns Channel Partitioning MAC protocols: TDMA TDMA: time division multiple access access to channel in "rounds" each station gets fixed length slot (length = pkt trans time) in each round unused slots go idle example: 6-station LAN, 1,3,4 have pkt, slots 2,5,6 idle Slotted ALOHA Pros single active node can continuously transmit at full rate of channel highly decentralized: only slots in nodes need to be in sync simple Cons collisions, wasting slots idle slots clock synchronization Slotted Aloha efficiency Efficiency is the long-run fraction of successful slots when there are many nodes, each with many frames to send Suppose N nodes with many frames to send, each transmits in slot with probability p prob that node 1 has success in a slot = p(1-p)N-1 prob that there is a success = Np(1-p)N-1 For max efficiency with N nodes, find p* that maximizes Np(1-p)N-1 For many nodes, take limit of Np*(1-p*)N-1 as N goes to infinity, gives 1/e = .37 At best: channel used for useful transmissions 37% of time! CSMA (Carrier Sense Multiple Access) CSMA: listen before transmit: If channel sensed idle: transmit entire frame If channel sensed busy, defer transmission Human analogy: don’t interrupt others! CSMA collisions collisions can still occur: propagation delay means two nodes may not hear each other’s transmission collision: entire packet transmission time wasted note: role of distance & propagation delay in determining collision probability spatial layout of nodes CSMA/CD (Collision Detection) CSMA/CD: carrier sensing, deferral as in CSMA collisions detected within short time colliding transmissions aborted, reducing channel wastage collision detection: easy in wired LANs: measure signal strengths, compare transmitted, received signals difficult in wireless LANs: receiver shut off while transmitting CSMA/CD collision detection “Taking Turns” MAC protocols Token passing: Polling: control token passed from master node one node to next “invites” slave nodes sequentially. to transmit in turn token message concerns: concerns: polling overhead latency single point of failure (master) token overhead latency single point of failure (token) ARP: Address Resolution Protocol Question: how to determine MAC address of B knowing B’s IP address? 237.196.7.78 1A-2F-BB-76-09-AD 237.196.7.23 Each IP node (Host, Router) on LAN has ARP table ARP Table: IP/MAC address mappings for some LAN nodes 237.196.7.14 LAN 71-65-F7-2B-08-53 237.196.7.88 < IP address; MAC address; TTL> 58-23-D7-FA-20-B0 0C-C4-11-6F-E3-98 TTL (Time To Live): time after which address mapping will be forgotten (typically 20 min) ARP protocol: Same LAN (network) A wants to send datagram to B, and B’s MAC address not in A’s ARP table. A broadcasts ARP query packet, containing B's IP address Dest MAC address = FF-FF-FF-FF-FF-FF all machines on LAN receive ARP query B receives ARP packet, replies to A with its (B's) MAC address frame sent to A’s MAC address (unicast) A caches (saves) IP-to- MAC address pair in its ARP table until information becomes old (times out) soft state: information that times out (goes away) unless refreshed ARP is “plug-and-play”: nodes create their ARP tables without intervention from net administrator Routing to another LAN walkthrough: send datagram from A to B via R assume A knows B’s IP address A R Two ARP tables in router R, one for each IP network (LAN) B A creates datagram with source A, destination B A uses ARP to get R’s MAC address for 111.111.111.110 A creates link-layer frame with R's MAC address as dest, frame contains A-to-B IP datagram A’s adapter sends frame R’s adapter receives frame R removes IP datagram from Ethernet frame, sees its destined to B R uses ARP to get B’s MAC address R creates frame containing A-to-B IP datagram sends to B A R B Ethernet uses CSMA/CD No slots adapter doesn’t transmit if it senses that some other adapter is transmitting, that is, carrier sense transmitting adapter aborts when it senses that another adapter is transmitting, that is, collision detection Before attempting a retransmission, adapter waits a random time, that is, random access Ethernet CSMA/CD algorithm 1. Adaptor receives 4. If adapter detects datagram from net layer & another transmission while creates frame transmitting, aborts and sends jam signal (48 bits) 2. If adapter senses channel idle, it starts to transmit 5. After aborting, adapter frame. If it senses enters exponential channel busy, waits until backoff: after the mth channel idle and then collision, adapter chooses transmits a K at random from {0,1,2,…,2m-1}. 3. If adapter transmits entire frame without Adapter waits K·512 bit detecting another times and returns to Step transmission, the adapter 2 is done with frame ! Ethernet’s CSMA/CD (more) Jam Signal: make sure all other transmitters are aware of collision; 48 bits Bit time: .1 microsec for 10 Mbps Ethernet ; for K=1023, wait time is about 50 msec Exponential Backoff: Goal: adapt retransmission attempts to estimated current load heavy load: random wait will be longer first collision: choose K from {0,1}; delay is K· 512 bit transmission times after second collision: choose K from {0,1,2,3}… after ten collisions, choose K from {0,1,2,3,4,…,1023} CSMA/CD efficiency Tprop = max prop between 2 nodes in LAN ttrans = time to transmit max-size frame efficiency 1 1 5t prop / ttrans Efficiency goes to 1 as tprop goes to 0 Goes to 1 as ttrans goes to infinity Much better than ALOHA, but still decentralized, simple, and cheap Hubs Hubs are essentially physical-layer repeaters: bits coming from one link go out all other links at the same rate no frame buffering no CSMA/CD at hub: adapters detect collisions provides net management functionality • can disconnect a malfunctioning adapter twisted pair hub Interconnecting with hubs Pros: Cons: Enables interdepartmental Collision domains are communication Extends max distance btw. nodes If a hub malfunctions, the backbone hub can disconnect it hub transferred into one large, common domain Cannot interconnect 10BaseT and 100BaseT hub hubs hub hub Switch Link layer device stores and forwards Ethernet frames examines frame header and selectively forwards frame based on MAC dest address when frame is to be forwarded on segment, uses CSMA/CD to access segment transparent hosts are unaware of presence of switches plug-and-play, self-learning switches do not need to be configured Forwarding switch 1 2 hub 3 hub hub • How to determine onto which LAN segment to forward frame? • Looks like a routing problem... Self learning A switch has a switch table entry in switch table: (MAC Address, Interface, Time Stamp) stale entries in table dropped (TTL can be 60 min) switch learns which hosts can be reached through which interfaces when frame received, switch “learns” location of sender: incoming LAN segment records sender/location pair in switch table Switch: traffic isolation switch installation breaks subnet into LAN segments switch filters packets: same-LAN-segment frames not usually forwarded onto other LAN segments segments become separate collision domains switch collision domain hub collision domain hub collision domain hub Switches vs. Routers both store-and-forward devices routers: network layer devices (examine network layer headers) switches are link layer devices routers maintain routing tables, implement routing algorithms switches maintain switch tables, implement filtering, learning algorithms Summary comparison hubs switches routers traffic isolation no yes yes plug & play yes yes no optimal routing no no yes Wireless network characteristics Multiple wireless senders and receivers create additional problems (beyond multiple access): C A B A B Hidden terminal problem C C’s signal strength A’s signal strength space B, A hear each other Signal fading: A, C can not hear each other B, C hear each other B, C hear each other B, A hear each other means A, C unaware of their interference at B A, C can not hear each other interferring at B IEEE 802.11 Wireless LAN 802.11b 2.4-5 GHz unlicensed radio spectrum up to 11 Mbps direct sequence spread spectrum (DSSS) in physical layer • all hosts use same chipping code widely deployed, using base stations 802.11a 5-6 GHz range up to 54 Mbps 802.11g 2.4-5 GHz range up to 54 Mbps All use CSMA/CA for multiple access All have base-station and ad-hoc network versions 802.11 LAN architecture wireless host communicates Internet AP hub, switch or router BSS 1 AP BSS 2 with base station base station = access point (AP) Basic Service Set (BSS) (aka “cell”) in infrastructure mode contains: wireless hosts access point (AP): base station ad hoc mode: hosts only IEEE 802.11 MAC Protocol: CSMA/CA 802.11 sender 1 if sense channel idle for DIFS then transmit entire frame (no CD) 2 if sense channel busy then - start random backoff time - timer counts down while channel idle - transmit when timer expires - if no ACK, increase random backoff interval, repeat 2 802.11 receiver - if frame received OK return ACK after SIFS (ACK needed due to hidden terminal problem) sender receiver DIFS data SIFS ACK Collision Avoidance: RTS-CTS exchange A AP B reservation collision DATA (A) time defer 802.11 frame: addressing 2 2 6 6 6 frame address address address duration control 1 2 3 Address 1: MAC address of wireless host or AP to receive this frame Address 2: MAC address of wireless host or AP transmitting this frame 2 6 seq address 4 control 0 - 2312 4 payload CRC Address 4: used only in ad hoc mode Address 3: MAC address of router interface to which AP is attached 802.11 frame: addressing R1 router H1 Internet AP R1 MAC addr AP MAC addr dest. address source address 802.3 frame AP MAC addr H1 MAC addr R1 MAC addr address 1 address 2 address 3 802.11 frame Network Security What is network security? Principles of cryptography Symmetric Key Public Key Authentication Protocol evolution Access control: firewalls Attacks and counter measures Packet sniffing IP spoofing DoS attacks