Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Revision Presentation
Document related concepts
Transcript
Networking Operating Systems (CO32010) 2. Processes and scheduling 1. Operating Systems 1.1 1.2 1.3 1.4 NOS definition and units 7. Encryption Computer Systems Multitasking and Threading Exercises 3. Distributed processing 8. NT, UNIX and NetWare Objectives: • To outline the main areas covered in the module. • To define some of the basic terminology of operating systems. • To define the main components of a network operating system. • To define the differences in operating systems. 6. Routers 5. Routing protocols http://www.soc.napier.ac.uk/~bill/nos.html 4. Distributed file systems bill@napier, 2002 Definition of an NOS The infrastructure that allows the reliable distribution of processes, files systems, networking components, networking protocols, and other associated components in order to produce a system which is reliable and secure, and which operates within a required specification. Routing Protocols Encryption Distributed Processing Processing and scheduling http://www.soc.napier.ac.uk/~bill/nos.html Distributed File Systems Router Programming and Security bill@napier, 2002 Server 3. Distributed Processing Router 7. NOS’s 2. Processes and scheduling Router Router 5. Routing Protocols 6. Router Programming Router 8. Encryption http://www.soc.napier.ac.uk/~bill/nos.html 5. Distributed file systems bill@napier, 2002 Areas covered • • • • • • • • Introduction. This unit provides a basic introduction to some of the concepts involved with operating systems, such as the basic definition involved in computer systems. Processes and Scheduling. This unit outlines some of the key concepts in the operation of an operating system, especially related to processes, and scheduling. Distributed Processing. This units outline some of the standard methods which are used to control the distribution of processes over a network. A key focus is on the RPC protocol, which is a standard method for distributing processes. Distributed File Systems. This unit outlines some of the methods which can be used to distribute file systems over a network. A key focus of this unit is the NFS standard, which can be used to distribute file system over a network. Routing Protocols. This unit outlines some of the key methods, and problems that occur with standard routing protocols Routers and ACLs. This unit outlines how routers are programming, and how ACLs can be applied to facilitate network security. Encryption. This unit outlines the principles of methods which allow data to be encrypted. Networking Operating Systems. This unit outlines the three main networking operating systems: UNIX, Novell NetWare and Microsoft Windows. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Hardware, Operating Systems and User Interfaces User interface: • Microsoft Windows (Windows 95/NT/2000/XP). • Microsoft Windows 3.1. • X-Windows. Operating system: • Microsoft Windows (Windows 95/NT/2000?XP). • DOS. • UNIX/Linux. • VMS. • Novell NetWare. Hardware: • x86 architecture. • SPARC architecture. • Apple architecture. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Hardware, Operating Systems and User Interfaces Operating System User account database Users Groups Operating system Kernal Volumes File system Resources Memory Print Queues Printer Printer Server http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Operating system characteristics Single-user Multi-user Stand-alone Networked Single-tasking Multitasking Single processor Multi-processor http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Operating system characteristics Local processing Distributed processing Embedded Non-embedded http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Operating Systems Memory: - Creating virtual memory systems - Disk swapping for memory Device interfacing: - Access to connected devices - Multi-user access - Device drivers UNIX LINUX Networking: - Remote login/file transfer - Creating global file systems Microsoft Windows 95/98 (OS) Microsoft Windows NT (OS) Hardware Mac OS File system: - Creating a file system - Copying/deleting/moving files DOS Multi-user - Allowing users to loging into system - Allow users permissions to certain resources - Managing queues for resources Multiprocessing - Allowing several processes to run, at a time - Scheduling of processing to allow priority http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Application program Application program Operating System Components Communication with operating system Operating System Network driver Kernel Mouse driver Video driver Keyboard driver Soundcard driver http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Information passed between processes Process Process Data passed between processes Process Process Message or signal Interrupt Interrupt Low-level Low-level interrupt interrupt Low-level Low-level interrupt interrupt Network or local computer http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Preemptive Multitasking Come on. My turn soon 2 3 Processor 1 Okay No.1, you’ve had your turn, get to the back of the queue. Next! 4 5 Process queue Pre-emptive multitasking: Processes are given some time on the processor. This allows all the processes to have some time on the processor, and makes for smoother and more reliable operation http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Hurray. I could stay here forever. Anyway, I’m not going back to the end of the queue. Co-operative Multitasking Hurry up. I’m waiting. You’ve been on that processor for ages. This isn’t very fair! 1 2 Processor Sorry. You’ll have to wait until he’s finished 3 4 5 6 Process queue Co-operative multitasking: Processes must yield from the processor, before other processes can run on the processor http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Splitting a process into threads Process approach Threads approach Interlinking of threads Process Process splits into threads Threads Independent threads Common sharing of data between threads http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) 2. Processes and scheduling 2.1 Introduction Scheduling 1. 2.2 Operating 2.3 Higher-level primitives Systems 2.4 Signals, pipes and task switching 2.5 Messages 7. Encryption 2.6 Microsoft Windows scheduling 2.7 UNIX process control 3. Distributed processing 8. NT, UNIX 6. Routers Objectives: and NetWare • To define the main parameters used in scheduling. • To define some of the main scheduling techniques and be able to contrast them. • To briefly define the usage of parallel processing. • To outline the usage of high-level primitives, such as 4. Distributed 5.signals, Routing pipes and task-switching. file systems • Toprotocols give examples of practical process control. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) 3.1 Introduction 2. Processes 3.2 Interprocess communication and 3.3 Flags and semaphores scheduling 3.4 RPC 3.5 Multi-processor systems Exercises 1.3.6 Operating Systems 7. Encryption 6. Routers 3. Distributed processing Objectives: • To define the concept of distributed processing, and contrast centralized systems against distributed ones. 8. NT, UNIX control, such as • To define mechanisms of interprocess andand NetWare pipes, semaphores, flags, message queues. • To define, in detail, how semaphores are used, and how the can prevent deadlock. • To define the conditions for deadlock. • To outline algorithms to prevent deadlock, such as the 4. Distributed Algorithm. 5.Banker’s Routing • Toprotocols outline practical interprocess control protocols, file systems especially RPC. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.1 Centralised v. Distributed Distributed: Decision making Account management Logistics Head Office Customers Staff Logistics Regional Office Local Office ATM http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.6 Deadlock • • Resource locking. This is where a process is waiting for a resource which will never become available. Some resources are pre-emptive, where processes can release their access on them, and give other processes a chance to access them. Others, though, are non-preemptive, and processes are given full rights to them. No other processes can then get access to them until the currently assigned process is finished with them. An example of this is with the transmission and reception of data on a communication system. It would not be a good idea for a process to send some data that required data to be received, in return, to yield to another process which also wanted to send and receive data. Starvation. This is where other processes are run, and the deadlocked process is not given enough time to catch the required event. This can occur when processes have a low priority compared with other ones, as higher priority tasks tend to have a better chance to access the required resources. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.7 Analogy to deadlock C B A D E F http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.8 Four conditions for deadlock • Mutual exclusion condition. This is where processes get exclusive control of required resources, and will not yield the resource to any other process. • Wait for condition. This is where processes keep exclusive control of acquired resources while waiting for additional resources. • No pre-emption condition. This is where resources cannot be removed from the processes which have gained them, until they have completed their access on them. • Circular wait condition. This is a circular chain of processes on which each process holds one or more resources that are requested by the next process in the chain. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.7 Analogy to deadlock Circular wait condition Mutual exclusion condition and no pre-emption. None of cars will give up their exclusive access to the Junction. C B A D E F http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.9 Banker’s Algorithm (Safe condition) Process A requires a maximum of 50MB. Process B requires a maximum of 40MB. Process C requires a maximum of 60MB. Process D requires a maximum of 40MB. The current state would be safe as Process A can complete which releases 50 MB (which allows the other processes to complete): Process Current allocation Maximum allocation required A 40 50 B 20 40 C 20 60 D 10 40 Resource unallocated 10 http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.10 Banker’s Algorithm(Unsafe condition) Process A requires a maximum of 50MB. Process B requires a maximum of 40MB. Process C requires a maximum of 60MB. Process D requires a maximum of 40MB. The current state would be unsafe as no process can complete: Process Current allocation Maximum allocation required A 15 50 B 30 40 C 45 60 D 0 40 Resource unallocated 5 http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.11 Banker’s Algorithm Each resource has exclusive access to resources that have been granted to it. Allocation is only granted if there is enough allocation left for at least one process to complete, and release its allocated resources. Processes which have a rejection on a requested resource must wait until some resources have been released, and that the allocated resource must stay in the safe region. Problems: Requires processes to define their maximum resource requirement. Requires the system to define the maximum amount of a resource. Requires a maximum amount of processes. Requires that processes return their resources in a finite time. Processes must wait for allocations to become available. A slow process may stop many other processes from running as it hogs the allocation. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.12 RPC Application Application program program Remote Remote process process Session layer (RPC) supports the running of remote processes and passing run parameters and results Transport layer sets up a virtual connection, and streams data Network layer responsible for the routing data over the network and delivering it at the destination Application program Application Application Presentation Presentation Session Session RPC Transport Transport TCP/IP UDP/IP Network Network Network Data DataLink Link Physical Physical Ethernet/ISDN/ FDDI/ATM/etc Data link http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 3.13 RPC operation Server Client The caller process sends a call message, with all the procedure’s parameters Server process waits for a call Process, and parameters Server reads parameters and runs the process Caller process waits for a response The caller process sends a call message, with all the procedure’s parameters Server sends results to the client Results Server process waits for a call bill@napier, 2002 http://www.soc.napier.ac.uk/~bill/nos.html RPC RPC provides: • A unique specification of the called procedure. • A mechanism for matching response parameters with request messages. • Authentication of both callers and servers. The call message has two authentication fields (the credentials and verifier), and the reply message has one authentication field (the response verifier). • Protocol errors/messages (such as incorrect versions, errors in procedure parameters, indication on why a process failed and reasons for incorrect authentication). http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC RPC provides three fields which define the called procedure: • Remote program number. These are numbers which are defined by a central authority (like Sun Microsystems). • Remote program version number. This defines the version number, and allows for migration of the protocol, where older versions are still supported. Different versions can possibly support different message calls. The server must be able to cope with this. • Remote procedure number. This identifies the called procedure, and is defined in the specification of the specific program’s protocol. For example, file service may define that an 8 defines a read operation and a 10 defines a write operation. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC RPC call message format: • Message type. This is either CALL (0) or REPLY (1). • Message status. There are two different message status fields, depending on whether it is a CALL or a REPLY. • Rpcvers. RPC Version number (unsigned integer). • Prog, vers and proc. Specifies the remote program, its version number and the procedure within the remote program (all unsigned integers). • Cred. Authentication credentials. • Verf. Authentication verifier. • Procedure specific parameters. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC authentications RPC authentication • • • • No authentication (AUTH_NULL). No authentication is made when callers do not know who they are or when the server does not care who the caller is. This type of method would be used on a system that did not have external connections to networks, and assumes that all the callers are valid. Unix authentication (AUTH_UNIX). Unix authentication uses the Unix authentication system, which generates a data structure with a stamp (an arbitrary ID which the caller machine may generate), machine name (such as ‘Apollo’), UID (caller’s effective user ID), GID (the caller’s effective group ID) and GIDS (an array of groups which contain the caller as a member). Short authentication (AUTH_SHORT). DES authentication (AUTH_DES). Unix authentication suffers from two problems: the naming is too Unix oriented and there is no verifier (so credentials can easily be faked). DES overcomes this by addressing the caller using its network name (such as ‘[email protected]’) instead of by an operating system specific integer. These network names are unique on the Internet. For example [email protected] identifies user ID number 111 on the mycomputer.net system. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC programming RPC programming levels: • • • Highest layer. At this level the calls are totally transparent to the operating system, the computer type and the network. With this the programmer simply calls the required library routine, and does not have to worry about any of the underlying computer type, operating system or networking. For example, the rnusers routine returns the number of users on a remote computer (as given in Program 3.2). Middle layer. At this level the programmer does not have to worry about the network connection (such as the TCP sockets), the Unix system, or other low-level implementation mechanisms. It just makes a remote procedure call to routines on other computers, and is the most common implementation as it gives increased amount of control over the RPC call. These calls are made with: registerrpc (which obtains a unique system-wide procedure identification number); callrpc (which executes a remote procedure call); and svc_run. The middle layer, in some more complex applications, does not allow for timeout specifications, choice of transport, Unix process control, or error flexibility in case of errors. If these are required, the lower layer is used. Lowest layer. At this level there is full control over the RPC call, and this can be used create robust and efficient connections. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC highest level programming #include <stdio.h> int main(int argc, char *argv[]) { int users; if (argc != 2) { fprintf(stderr, "Use: rnusers hostname\n"); return(1); } if ((users = rnusers(argv[1])) < 0) { fprintf(stderr, "Error: rnusers\n"); exit(-1); } printf("There are %d users on %s\n", users, argv[1]); return(0); } http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC middle level programming #include <stdio.h> #include <rpc.h> #define RUSERSPROG 10002 /* Program number #define RUSERSVERSION 2 /* Version number #define RUSERPROCVAL 1 /* Procedure number */ int main(int argc, char *argv[]) { unsigned long users; int rtn; if (argc != 2) { fprintf(stderr, "Use: nusers hostname\n"); exit(-1); } if (rtn = callrpc(argv[1], RUSERSPROG, RUSERSVERSION, RUSERSPROCVAL, xdr_void, 0, xdr_u_long, &users) != 0) { clnt_perrno(stat); return(1); } printf("There are %d users on %s\n", users, argv[1]); return(0); } http://www.soc.napier.ac.uk/~bill/nos.html */ */ bill@napier, 2002 RPC lowest level programming #include <stdio.h> #include <rpc.h> #define RUSERSPROG 10002 #define RUSERSVERSION 2 #define RUSERPROCVAL 1 /* Program number /* Version number /* Procedure number */ */ */ char *nuser(); int main(void) { registerrpc(RUSERSPROG, RUSERSVERS, RUSERSPROC_NUM, nuser, xdr_void, xdr_u_long); svc_run(); fprintf(stderr, "Error: server terminated\n"); return(1); } http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RPC lowest level programming Sample contents of /etc/rpc file: portmapper rstatd rusersd nfs ypserv 100000 100001 100002 100003 100004 portmap sunrpc rstat rstat_svc rup perfmeter rusers nfsprog ypprog This shows RPC process name, and RPC procedure number. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) Objectives: 2. Processes • To discuss the advantages ofand a distributed file system. • To outline the different methods of mounting remote file scheduling systems onto a file system structure. • To outline practical implementations of a distributed file 1. Operating systems, especially NFS. Systems • To show how domains can be created and managed, especially using standard protocols, such as3. NIS. Distributed 7. Encryption 4.1 4.2 4.3 4.4 processing 8. NT, UNIX and NetWare Distributed File Systems Active Directories Exercises Sample exam question 6. Routers 5. Routing protocols http://www.soc.napier.ac.uk/~bill/nos.html 4. Distributed file systems bill@napier, 2002 4.1 Distributed file system Administration services Network Mounted as a local drive Localized File storage (rather than accessing a remote file) Distributed databases Networked file system (NFS) http://www.soc.napier.ac.uk/~bill/nos.html Centralized Configuration (passwords, user IDs, and so on) bill@napier, 2002 4.2 Advantages of distributed file systems • • • • File system mirrors the corporate structure. File systems can be distributed over a corporate network, which might span cities, countries or even continents. The setup of a complete network file system over a corporation can allow the network to mirror the logical setup of the organization, rather than its physical and geographical organization. For example the Sales Department might be distributed around the world, but the network in which they connect to is identical to the way that the Sales Department is organized. Easier to protect the access rights on file systems. In a distributed file system it is typical to have a strong security policy on the file system, and each file will have an owner who can define the privileges on this file. File systems on user computers tend to have limited user security. Increased access to single sources of information. Many users can have access to a single source of information. Having multiple versions of a file can cause a great deal of problems, especially if it is not know as to which one is the most up-to-date. Automated updates. Several copies of the same information can be stored, and when any one of them is updated they are synchronized to keep each of them up-to-date. Users can thus have access to a local copy of data, rather than accessing a remote copy of it. This is called mirroring files. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 4.3 Advantages of distributed file systems • • • • • • Improved backup facilities. A user’s computer can be switched-off, but their files can still be backed-up from the distributed file system. Increased reliability. The distributed file system can have a backbone which is constructed from reliable and robust hardware, which are virtually 100% reliable, even when there is a power failure, or when there is a hardware fault. Larger file systems. In some types of distributed file systems it is possible to build-up large file systems from a network of connected disk drives. Easier to administer. Administrators can easily view the complete file system. Interlinking of databases. Small databases can be linked together to create large databases, which can be configured for a given application. The future may also bring the concept of data mining, where agent programs will search for information with a given profile by interrogating databases on the Internet. Limiting file access. Organizations can setup an organization file structure, in which users can have a limited view of complete file system. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 4.4 Traditional file structure v. corporate structure UNIX NDS/ Active Directories \\ users users config config sales sales progs progs fred fred orgname orgname production production research research Tree structure UK UKOffice Office bert bert http://www.soc.napier.ac.uk/~bill/nos.html US USOffice Office bill@napier, 2002 4.5 Flat structures \\ \\bert \\fred Windows NT uses a flat structure, where nodes join into a domain \\freddy Network Local disk Local disk Local disk Domain Flat structure http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 4.6 Forest of drives v. single tree Single tree Global File system /etc Drives mounted over the network to create a single tree /progs /user /sys Network C: Forest of drives E: D: F: http://www.soc.napier.ac.uk/~bill/nos.html Drives mounted over the network to a forest of drives bill@napier, 2002 4.7 NFS services protocol stack Application NFS NIS Presentation XDR Session RPC Transport TCP Network IP Data link Ethernet/ Token Ring Physical http://www.soc.napier.ac.uk/~bill/nos.html XDR defines a common data format for the conversion of data values. RPC defines a a number of procedures which can be executed on the server, such as WRITE, CREATE, and so on. RPC is stateless, where a NFS server waits for a client to contact it for a client to contact it, it then gets a request for a service, and sends back the results. bill@napier, 2002 4.8 Some RPC procedures used by NFS No. Procedure Name 0 void NULL(void) No operation 1 attrstat GETATTR(fhandle) Get file attributes 2 attrstat SETATTR(sattrargs) Set file attributes 6 readres READ(readargs) Read from file 8 attrstat WRITE(writeargs) Write to file 9 diropres CREATE(createargs) Create file 10 stat REMOVE(diropargs) Remove file 11 stat RENAME(renameargs) Rename file 13 stat LINK(linkargs) Create link to file 14 diropres MKDIR(createargs) Create symbol link 15 stat RMDIR(diropargs) Create directory http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 4.9 RPC procedures and responses NFS server Remotely accessed file system RPC procedures getattr, setattr, read, write, create, remove, rename, link, symlink, mkdir, rmdir, readdir Network File system either mounted onto a single tree or as a forest of drives http://www.soc.napier.ac.uk/~bill/nos.html RPC response Requested data, parameters or status flag (such as: NFS_OK and NFSERR_PERM) NFS client bill@napier, 2002 4.10 NIS domain #/etc/protocols ip 0 icmp 1 ggp 3 tcp 6 Master NIS server maintains: /etc/passwd Domain passwords /etc/groups Domain groups /etc/hosts IP addresses and host names /etc/rpc RPC processes /etc/network Used to map IP address to networks /etc/protocols Known network layer protocols /etc/services Known transport layer protocols IP ICMP GGP TCP Server #/etc/groups root::0:root other::1:root,hpdb bin::2:root,bin sys::3:root,uucp freds_grp::4:fred,fred2,fred3 Clients NIS Domain #/etc/rpc portmapper rstatd rusersd nfs ypserv 100000 100001 100002 100003 100004 portmap sunrpc rstat rstat_svc rusers nfsprog ypprog #/etc/hosts 138.38.32.45 198.4.6.3 193.63.76.2 148.88.8.84 146.176.2.3 bath compuserve niss hensa janet #/etc/passwd root:FDEc6.32:1:0:Super unser:/user:/bin/csh fred:jt.06hLdiSDaA:2:4:Fred Blogs:/user/fred:/bin/csh fred2:jtY067SdiSFaA:3:4:Fred Smith:/user/fred2:/bin/csh #/etc/services ftp 21/tcp telnet 23/tcp smtp 25/tcp pop3 110/tcp http://www.soc.napier.ac.uk/~bill/nos.html #/etc/networks loopback 127.0.0.0 localnet 146.176.151.0 Production 146.176.142.0 bill@napier, 2002 4.11 NIS master and slave(s) Master NIS Server maintains: /etc/passwd /etc/groups /etc/hosts /etc/rpc /etc/network /etc/protocols /etc/services and so on. Master sends updates to NIS slaves NIS Domain Slave NIS server 2. Client broadcasts an NIS request to the domain 1. Client is started 3. The client then binds to the first server which responds Slave NIS server http://www.soc.napier.ac.uk/~bill/nos.html NIS client bill@napier, 2002 4.12 inetd.conf – defines the network services that are started # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # Echo, discard and daytime are used primarily for testing. echo stream tcp nowait root internal echo dgram udp wait root internal discard stream tcp nowait root internal discard dgram udp wait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal time dgram udp wait root internal # # These are standard services. ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/wu.ftpd telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd # # Shell, login, exec and talk are BSD protocols. shell stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rshd login stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.rlogind talk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd ntalk dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.ntalkd # # Pop mail servers pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.pop3d # bootps dgram udp wait root /usr/sbin/tcpd /usr/sbin/in.bootpd # finger stream tcp nowait daemon /usr/sbin/tcpd /usr/sbin/in.fingerd systat stream tcp nowait guest /usr/sbin/tcpd /usr/bin/ps -auwwx http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) Objectives: 2. Processes • To outline the fundamental techniques using in routing and protocols. scheduling • To define the main problem in routing protocol techniques, such as routing loops, and count-to-infinity, 1. Operating and how the may be overcome. Systems • To outline practical protocols, especially RIP and IGRP, and reflect on their strengths and weaknesses. 3. Distributed processing 7. Encryption 5.1 5.2 5.3 5.4 5.5 5.6 5.7 Introduction Routing fundamentals8. NT, UNIX Routing protocol techniques and NetWare RIP OSPF IGRP EGP/BGP 6. Routers 5. Routing protocols http://www.soc.napier.ac.uk/~bill/nos.html 4. Distributed file systems bill@napier, 2002 5.1 Alternative Routes 2 Net5 4 Net6 Net1 A Net4 11 6 Net8 Net2 3 2 A 1 3 Net3 B Net7 5 4 6 B 5 6 B 5 6 B 2 4 6 http://www.soc.napier.ac.uk/~bill/nos.html B bill@napier, 2002 5.2 Best route? Routing based on hops: Route (1,3,5,6) = 4 hops [BEST] Route (1,3,5,2,4,6) = 6 hops Routing based on delay (latency): Route(2,4,6) = 1.5+1.25 = 2.75 Route(2,5,6) = 1.1+1.3 = 2.4 [BEST] Routing based on error probability: Pe(2 – 5)=0.01 Pe(2 – 4)=0.05 Pnoerror(2,5,6) Pnoerror(2,4,6) Pe(5 – 6)=0.15 Pe(4 – 6)=0.1 =(1 – 0.01) (1 – 0.15) = 0.8415 =(1 – 0.05) (1 – 0.1) = 0.855 [BEST] http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.2 Best route? Error probability • Challenge 1. • Challenge 2. 0.2 B 0.2 0.05 A 0.1 C D 0.3 Lowest error probability Wins! Route: ABCD No Error =(1-0.2)x(1-0.05)x(1-0.3) = 0.532 http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.2 Best route? Delay (ms) • Challenge 1. • Challenge 2. 2 B 2 0.5 A 1 C Route: ABCD Delay =(2)+(0.5)+(3) ms = 5.5 ms http://www.soc.napier.ac.uk/~bill/nos.html D 3 Lowest delay Wins! bill@napier, 2002 5.3 Layer 3 protocols Routing protocols. A routing protocol provides a mechanism for routers to share routing information. These protocols allow routers to pass information between themselves, and update their routing tables. Examples of routing protocols are Routing Information Protocol (RIP), Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), and Open Shortest Path First (OSPF). Routed protocols. These protocols are any network layer protocol that allows for the addressing of a host and a destination on a network, such as IP and IPX. Routers are responsible for passing a data packet onto the next router in, if possible, an optimal way, based on the destination network address. The definition of an optimal way depends on many things, especially its reachability. With IP, routers on the path between a source and a destination, examine the network part of the IP address to achieve their routing. Only the last router, which is connected to the destination node network, examines the host part of the IP address. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.4 Types of Routing Dynamic routing. In dynamic routing, the routers monitor the network, and can change their routing tables based on the current network conditions. The network thus adapts to changing conditions. Unfortunately, this method tends to reveal everything known about an internetwork to the rest of the network. This may be inappropriate for security reasons. Static routing. In static routing, a system administrator sets up a manual route when there is only one route to get to a network (a stub network). This type of configuring reduces the overhead of dynamic routing. Static routing also allows the internetwork administrator to specify the information that is advertised about restricted parts of a network. Default routing. These are manually defined by the system administrator and define the path that is taken if there is not a known route for the destination. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.5 Best Route Parameters? Bandwidth. The data capacity of a link, which is typically defined in bps. Delay. The amount of time that is required to send a packet from the source to a destination. Load. A measure of the amount of activity on a route. Reliability. Relates to the error rate of the link. Hop count. Defined by the number of routers that it takes between the current router and the destination. Ticks. Defines the delay of a link by a number of ticks of a clock. Cost. An arbitrary value which defines the cost of a link, such as financial expense, bandwidth, and so on. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.6 Type of Update? Broadcast. In broadcast, routers transmit their information to other routers at regular intervals. A typical broadcast routing protocol is RIP, in which routers send their complete routing table once every few minutes, to all of their neighbors. This technique tends to be wasteful in bandwidth, as changes in the route do not vary much over short amounts of time. Event-driven. In event-driven routing protocols, routing information is only sent when there is a change in the topology or state of the network. This technique tends to be more efficient than broadcast, as it does not use up as much bandwidth. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.7 Routing protocol types Hybrid (IS-IS) + Layer Layer33 protocols protocols Routed (IP, IPX, NetBEUI) Types Types + + Link-state Distance-vector + + Routing (RIP, OSPF) Session Session Transport Transport Network Network Data Datalink link Physical Physical Updates Updates Routing Routing HTTP HTTP TCP TCP IP IPRIP RIP Ethernet/ Ethernet/ FDDI FDDI Each router transmits routing information to all other routers only when there are changes (OSPF/BGP/EGP) Distance Distance metrics metrics Each router periodically sends information to each of itsneighbors (RIP). Problems: • Bandwidth • Step-by-step updates Problems: • Initial flooding • Processing/memory Hop count + Delay Tick + Bandwidth + Event driven v. broadcast Cost + Reliability + Static .v. dynamic http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.8 Example routing Dest Hops A B C 1 2 1 Next Dest x z z A B C W Dest A B C Hops Next 2 1 0 w y Network C 0 1 2 Z Network C Network A y y Network A X 2 1 Hops Next 3 Dest 4 Y A B C Hops Next 1 0 1 x Network B z Network B http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.9 Routing loops Timing of events AA E.E.Network NetworkAA reachable reachable BB CC DD EE B.B.I Ican canreach reach Network NetworkAAinin 33hops hops W X 2 1 Z A.A.Network NetworkAA unreachable unreachable 3 4 D.D.Network NetworkAA reachable reachable Y A.A.Network Router Z thinks it can NetworkAA unreachable unreachable reach Network A in 4 hops, as Router W says it can reach it in 3 hops, this overrules the information from C.C.Network Router Y which says it cannot NetworkAA Reachable Reachablevia via reach Network A Router W Network unreachable V Network A Router W http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.10 Overcoming Distance Vector Problems Setting infinity values. The count-to-infinity will eventually resolve itself when the routers have counted to infinity (as infinity will be constrained with the maximum definable value), but while the network is counting to this value, the routing information will be incorrect. To reduce the time that it takes to get to this maximum, a maximum value is normally defined. In RIP this value is set at 16 hops for hop-count distance-vectors, thus the maximum number of hops that can occur is 15. This leads to a problem in that a destination which has a distance of more than 15 hops is unreachable, as a value of 16 or more defines that the network is unreachable. Split horizon. This method tries to overcome routing loops. With this routers do not update their routing table with information on a destination if they know that the network is already connected to the router (that is, the router knows more about the state of the network than any other router, as it connects to it). Thus in Figure X, Router Z and Router X will not send routing information on Network B to Router Y, as they know that Network B is connected to Router Y. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.11 Overcoming Distance Vector Problems Hold-Down Timers. This method overcomes the count-to-infinity problem. With a hold-time time, a router starts a hold-time timer when it receives an update from a neighbor indicating that a previously accessible network is now inaccessible. It also marks the route as inaccessible. There are then three possible situations: o If, at any time before the hold-down timer expires, an update is sent from the same neighbor which alerted the initial problem saying that it is now accessible, the router marks the network as accessible and removes the hold-down timer. o If an update arrives from a different neighboring router with a better metric than the original metric, the router marks the network as accessible and removes the hold-down timer. o If, at any time before the hold-down timer expires, an update is sent from a different neighbor which alerted the initial problem saying that it is accessible, but has a poorer metric than the previously recorded metric, the update is ignored. Obviously after the timer has expired the network will still be prone to looping routes, but the timer allows for a longer time for the network to settle down and recover the correct information. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 5.12 Link-state overview Network 1 becomes unreachable for a short time LSP:Network LSP:Network Reachable Reachable Methods Methods Problem Problem W LSP:Network LSP:Network Unreachable Unreachable 1 LSP (Link state packets) + X 2 Network unreachable arrives after network reachable 3 4 Z Y LSP:Network LSP:Network Unreachable Unreachable + Topological database (for SPF) Link-state Link-state Operation Operation OSPF OSPF(RFC1583) (RFC1583) Ver . Ver . Type Type Message MessageLen. Len. Router ID Router ID Area AreaID ID Checksum Auth. Checksum Auth.Type Type LSP A change in topology causes updates to all other routers Concerns Concerns Authentication Authentication + Processing Increased processing power required to build trees Memory Increased amount of storage memory for tree http://www.soc.napier.ac.uk/~bill/nos.html Each router builds up a tree topology of the subnetworks and find shortest path bill@napier, 2002 OSPF header 5.13 OSPF overview OSPF OSPF(RFC1583) (RFC1583) Ver. Type Ver. Type Message MessageLen. Len. Router ID (unique in AS) Router ID (unique in AS) Area AreaID ID(similar (similarto tosubnetting) subnetting) Checksum Auth. Checksum Auth.Type Type + Hello [1]. Used to establish and maintain aconnection. Routers agree HelloIntervaland RouterDeadInterval. • HelloInterval. Number of seconds between Hello packets. The smaller the value, the fastest the detection of topological changes. X.25 uses 30 sec, LANs uses 10 sec. • RouterDeadInterval. Number of seconds before arouter assumes that a route is down. It should be a multiple of HelloInterval (such as four times). + Database Description[2]. Used to send database between routers. + Link-state Request [3]. Request parts of aneighbor’s database, which may be more up-to-date. + Link-state Update [4]. Used to flood link state advertisements. + Link-state Acknowledgement [5]. Used to acknowledge flooded advertisements. Authentication Authentication Additional Information (depends on packet type) 32 bits Gateways OSPF is an IGP (Interior Gateway Protocol) which distributes routing information between routers in a single autonomous system. All routers have the same database. Separate domains Autonomous Autonomous System System Autonomous Autonomous System System Autonomous Autonomous System System Internet http://www.soc.napier.ac.uk/~bill/nos.html EGP used between AS’s bill@napier, 2002 5.14 Tree-like topology v. Internet-like topology Single backbone Org1 Site1 Site2 Org2 Site3 Site1 Site2 Site3 Org 3 LAN1 LAN2 LAN3 LAN1 LAN2 Org1 LAN3 Org2 Site1 Site2 Site3 Site1 LAN1 LAN2 Site3 LAN3 LAN1 http://www.soc.napier.ac.uk/~bill/nos.html Site2 LAN2 LAN3 bill@napier, 2002 5.15 Autonomously attached networks Autonomously Autonomously Gateway attached attached (G/W) network network (AAN) (AAN) G/W G/W AAN AAN G/W G/W AAN AAN G/W G/W AAN AAN http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) 2. Processes Objectives: and • To outline the main elements scheduling of a router. • To be able to understand the main elements in the programming of a router. 1. Operating • To be able to program a router for a given specification. Systems • To understand the operation of firewalls, and how these are implemented on a firewall. 7. Encryption 3. Distributed processing 8. NT, UNIX and NetWare Introduction 6. Routers 6.1 6.2 Router configuration and startup 6.3 Router commands 6.4 Access Control Lists (ACLs) 6.5 Exercises Cisco router commands4. Distributed 5. 6.6 Routing protocols http://www.soc.napier.ac.uk/~bill/nos.html file systems bill@napier, 2002 6.1 Routers Modem Console port Router Serial1 Console Port (RJ-45) Auxiliary Port (RJ-45) Ether0 Auxiliary port Ether1 Serial0 Console terminal Interfaces ROUTER Serial0 (DB-60) Serial1 (DB-60) Ether0 Ether1 (DB-15) (DB-15) http://www.soc.napier.ac.uk/~bill/nos.html Virtual Terminal (through telnet) TFTP Server (to download configuration files over the network) bill@napier, 2002 6.2 Router modes User EXEC. View configuration parameters ROM Executes User commands Bootstrap program Perform hardware tests Run EXEC Load operating system Global, process and interface information Load configuration file from NVRAM http://www.soc.napier.ac.uk/~bill/nos.html Privileged EXEC. Edit configuration parameter/ debug/testing Setup mode Used to configure the router when first started RXBOOT Maintenance mode, such as recovering lost passwords Global Config Performs simple configuration tasks bill@napier, 2002 6.2 Example topology 201.100.11.1 Switch Ether1 LAB-A 205.7.5.0 (Router) 192.5.5.0 Ether0 Serial0 201.100.11.2 Serial1 201.100.11.0 LAB-B (Router) 219.17.100.0 Hub 199.6.13.1 Ether0 Hub 199.6.13.2 Serial0 Serial1 199.6.13.0 LAB-C (Router) Serial0 223.8.151.0 Serial1 LAB-D (Router) Ether0 210.93.105.0 Ether0 LAB-E (Router) http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.3 Router startup • • • • • The bootstrap loader is loaded from ROM and run on the processor. The operation system (Cisco IOS – Internetwork Operating System) is then loaded from the boot field of a configuration register (which specifies either boot from flash memory, boot from the network or manual boot). The lower four bits of the configuration register define the boot field. The operating system is then booted, and it determines the hardware and the software on the system, and displays these to the console terminal. The operating system then loads the configuration file from NVRAM and executes it one line at a time. These lines start different processes, and define addresses and protocol types. If there is no configuration file in NVRAM, the router automatically goes into user setup mode, where the router asks the user questions about the router configuration. Once these have been specified the router saves these to NVRAM, so that the settings will be saved. Once saved, the router should automatically boot, without going into user setup mode. As much as possible the router tries to discover its environment, and tries to minimize the settings that the user has to add. Typically values are given in squared brackets, which are defaults that the user can choose if the return key is pressed at the option. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.4 Router memory • • • • NVRAM. This type of memory does not lose its contents when the power is withdrawn, but can be written to. It is used to store the router’s backup/startup configuration file. One of the options in the configuration is where the operating system image is loaded from, typically either from flash memory, or from a TFTP server. Flash. This is erasable, reprogrammable ROM, which keeps its contents when the power is taken away. It is used in the router to contain one or more copies of the operating system image and microcode. Flash memory allows for easy updates to the operating system software, without having to replace any parts of the hardware. ROM. This is a permanent type of memory, which cannot be changed, and does not lose its contents when the power is withdrawn. On the router it contains power-on diagnostics, a bootstrap program, and operating system software. Upgrades to ROM require a change of a ROM integrated circuit. RAM. This is the main memory of the router and stores running programs and the current running configuration file. Along with this the RAM stores routing tables, ARP cache, packet buffering and packet hold queues. The contents of the RAM are lost when the power is withdrawn. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.5 Router commands (enable) LAB-A con0 is now available Press RETURN to get started. User Access Verification Password: ******* LAB-A> ? Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface clear Reset functions connect Open a terminal connection :::::::: LAB-A> enable Password: ********** LAB-A# ? Exec commands: access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry cd Change current directory :::::::: http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.6 Router commands (enable) show arp. Displays the current status of router’s ARP tables, which map IP addresses to MAC address. Session run 6.6 gives an example of this command. show buffers. This command shows detailed statistics on the buffers within the router. Session run 6.2 gives an example of this command. In this case, the memory buffers split into small buffers (104 bytes), middle buffers (600 bytes), big buffers (1524 bytes), very big buffers (4520 bytes), large buffers (5024 bytes) and huge buffers (18024 bytes). show flash. This command displays information on the data stored in the flash memory. An example is given in Session run 6.8. show hosts. This command displays a lists of connected hosts and their IP addresses. show interfaces. This command displays statistics for all interfaces configured on the router. Session run 6.10 shows an example. show mem. This command displays the usage of the routers memory. Session run 6.3 shows an example. show processes. This command shows the active processes. show protocols. This command displays the status of currently running protocols (such as IP, IPX, AppleTalk and DECnet). It can be seen from Session run 6.9 that there are three active interfaces (Ethernet0, Serial0 and Serial1), and that each of the interfaces is operating (‘they are up’). For example the IP address of Ethernet0 interface is 219.17.100.1/24, which specifies that it has an IP address of 219.17.100.1 and that 24 bits are used to define the network part of the address (as expected as it is a Class C address). show running-config. This command displays the active configuration file. show startup. Displays the startup configuration file. show version. This command display information on the hardware, software version, configuration file name, and the boot image. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.7 Router commands (show buffers) LAB-A# show buffers Buffer elements: 500 in free list (500 max allowed) 2026 hits, 0 misses, 0 created Public buffer pools: Small buffers, 104 bytes (total 50, permanent 50): 49 in free list (20 min, 150 max allowed) 669 hits, 0 misses, 0 trims, 0 created :::::::: Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 0 failures (0 no memory) Interface buffer pools: Ethernet0 buffers, 1524 bytes (total 32, permanent 32): 8 in free list (0 min, 32 max allowed) 24 hits, 0 fallbacks 8 max cache size, 8 in cache :::::::: Serial0 buffers, 1524 bytes (total 32, permanent 32): 7 in free list (0 min, 32 max allowed) 102 hits, 0 fallbacks 8 max cache size, 8 in cache http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.8 Router commands (show hosts) LAB-A> show hosts Default domain is not set Name/address lookup uses domain service Name servers are 255.255.255.255 Host LAB-B LAB-C LAB-D LAB-E LAB-A Flags (perm, OK) (perm, OK) (perm, OK) (perm, OK) (perm, OK) Age 17 18 19 18 19 Type IP IP IP IP IP Address(es) 201.100.11.2 219.17.100.1 199.6.13.1 199.6.13.2 223.8.151.1 204.204.7.1 204.204.7.2 210.93.105.1 210.93.105.2 192.5.5.1 205.7.5.1 201.100.11.1 201.100.11.2 LAB-A LAB-A (Router) (Router) Serial1 201.100.11.0 199.6.13.1 LAB-B LAB-B (Router) (Router) 201.100.11.2 199.6.13.2 Serial0 199.6.13.0 LAB-C LAB-C (Router) (Router) Ether0 219.17.100.0 Hub Hub http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.9 Router commands (show protocols) Lab-B> show protocols Internet Protocol routing is enabled Ethernet0 is up, line protocol is up Internet address is 219.17.100.1/24 Serial0 is up, line protocol is up Internet address is 199.6.13.1/24 Serial1 is up, line protocol is up Internet address is 201.100.11.2/24 201.100.11.2 LAB-A LAB-A (Router) (Router) Serial1 201.100.11.0 199.6.13.1 LAB-B LAB-B (Router) (Router) 201.100.11.2 199.6.13.2 Serial0 199.6.13.0 LAB-C LAB-C (Router) (Router) Ether0 219.17.100.0 Hub Hub http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.10 Router commands (show running-config) Lab-B# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime LAB-A LAB-A no service password-encryption (Router) (Router) ! hostname Lab-B ! enable password class ! ip subnet-zero ! interface Ethernet0 ip address 219.17.100.1 255.255.255.0 no ip directed-broadcast ! interface Serial0 ip address 199.6.13.1 255.255.255.0 ip directed-broadcast no ip mroute-cache no fair-queue clockrate 56000 ! http://www.soc.napier.ac.uk/~bill/nos.html 201.100.11.2 Serial1 201.100.11.0 199.6.13.1 LAB-B LAB-B (Router) (Router) 201.100.11.2 199.6.13.2 Serial0 199.6.13.0 LAB-C LAB-C (Router) (Router) Ether0 219.17.100.0 Hub Hub bill@napier, 2002 6.11 Router commands (show running-config – cont.) interface Serial1 ip address 201.100.11.2 255.255.255.0 no ip directed-broadcast ! router rip LAB-A network 199.6.13.0 LAB-A (Router) (Router) network 201.100.11.0 network 219.17.100.0 ! no ip classless ! line con 0 password cisco login transport input none line aux 0 line vty 0 4 password cisco login ! end ! http://www.soc.napier.ac.uk/~bill/nos.html 201.100.11.2 Serial1 201.100.11.0 199.6.13.1 LAB-B LAB-B (Router) (Router) 201.100.11.2 199.6.13.2 Serial0 199.6.13.0 LAB-C LAB-C (Router) (Router) Ether0 219.17.100.0 Hub Hub bill@napier, 2002 6.12 MAC and IP address ARP TABLE Protocol Internet Internet Internet (in LAB-A) Address 205.7.5.254 192.5.5.1 192.5.5.12 Internet 205.7.5.1 MAC: IP: - 0030.8071.9f40 205.7.5.254 Switch Age (min) 108 1 205.7.5.0 MAC: IP: Hardware Addr 0030.8071.9f40 0010.7b81.1d72 0000.b430.b332 Type ARPA ARPA ARPA Interface Ethernet1 Ethernet0 Ethernet0 0010.7b81.1d73 ARPA Ethernet1 0010.7b81.1d73 205.7.5.1 LAB-A (Router) 192.5.5.0 MAC: IP: 0010.7b81.1d72 192.5.5.1 MAC: IP: 0000.b430.b332 192.5.5.12 Hub http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.13 Router programming Router> enable Router# Router# config t Enter configuration commands, one per line. End with END. Router (config)# hostname LAB_A LAB_A (config)# LAB_A (config)# enable secret class LAB_A (config)# exit LAB_A# exit LAB_A> enable Password: ccc Password: class LAB_A# http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.14 Router programming LAB_A# config t LAB_A (config)# int e0 LAB_A (config-if)# ip address 192.5.5.1 255.255.255.0 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A (config)# int e1 LAB_A (config-if)# ip address 205.7.5.1 255.255.255.0 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A (config)# int s0 LAB_A (config-if)# ip address 201.100.11.1 255.255.255.0 LAB_A (config-if)# clock rate 56000 LAB_A (config-if)# no shutdown LAB_A (config-if)# exit LAB_A LAB_A LAB_A LAB_A LAB_A LAB_A (config)# router (config-router)# (config-router)# (config-router)# (config-router)# (config)# rip network 192.5.5.0 network 205.7.5.0 network 201.100.11.0 exit http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.15 ACLs For example the firewall may block FTP traffic going out of the network. Router A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.16 ACLs • Source IP address. The address that the data packet was sent from. • Destination IP address. The address that the data packet is destined for. • Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are FTP (port 21), TELNET (port 23), and WWW (port 80). • Destination TCP port. The port that the data segment is destined for. • Protocol type. This filters for UDP or TCP traffic. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.17 Standard ACLs Router# access-list access-list-value {permit | deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 6.18 Extended ACLs Router# access-list access-list-value {permit | deny} {test-conditions} Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Networking Operating Systems (CO32010) Objectives: Processes • To outline the usage of the2.three main NOS’s: NT/2000, and UNIX and Netware. • To define the usage of objectscheduling properties in each of the NOS’s. • To define how distributed files systems are created in the 1. Operating three main NOS’s (UNIX – NFS, Active Directories – Systems NT/2000 and NDS – NetWare) 3. Distributed processing 7. Encryption 8.1 8.2 8.3 8.4 8.5 Introduction Microsoft Windows UNIX Novell NetWare NDS 6. Routers 8. NT, UNIX and NetWare 5. Routing protocols http://www.soc.napier.ac.uk/~bill/nos.html 4. Distributed file systems bill@napier, 2002 Local audit policy Success Failure • User login/logout • File and object access • Use of user rights • User and group management • Security policy changes • Restart/shutdown • Process tracking \\freds_pc \\bills_ pc Domain Domain (my_d) (my_d) \\server1 Domain audit policy • User login/logout • File and object access • etc http://www.soc.napier.ac.uk/~bill/nos.html Success Failure bill@napier, 2002 UNIX file attributes file owner name -rwxr-xr-x 1 bill_b group’s name date/time last modified staff 28 May 12 filename 1993 gopc directory attribute d rwx rwx rwx User USER Group GROUP WORLD World http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 UNIX • • • • • • • • • • • • • TCP/IP for its communications. NFS for mounting files over a network. ICMP (for ping, traceroute, and so on). RIP (for routing). ARP (for determination of MAC addresses). DNS (for determining domain names). BOOTP (for IP address allocation). FTP (for file transfer). TELNET (for remote login). NIS (for creating domains). RPC (for remote processing execution). SMTP (for e-mail). SNMP (for network management) http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Application Application Presentation Presentation Application Applicationprogram program Session Session Transport Transport Network Network NetWare NetWare (SPX/IPX) (SPX/IPX) UNIX/ UNIX/ Internet Internet (TCP/IP) (TCP/IP) Transport Driver Interface (TDI) Windows Windows (NetBEUI) (NetBEUI) Data Datalink link Media MediaAccess AccessControl Control Physical Physical Ethernet/ Ethernet/ATM/ ATM/ISDN/ ISDN/etc. etc. http://www.soc.napier.ac.uk/~bill/nos.html Network Device Interface Specification (NDIS) NDIS Wrapper NDIS NIC Driver NIC bill@napier, 2002 Application programs NetWare shell (NETx) software NCP (network core protocol) SPX/IPX ODI (open data-link interface) hardware NetWare client: Windows NT, Windows 3.1, Unix, OS/2, Mac or DOS NIC (network interface card) server http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Application Application program Presentation NetWare shell Session NCP redirector/ NETBIOS emulator Transport SPX Network IPX Open-device interface (ODI) Data link Physical Ethernet, Token Ring, etc. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Problems with Novell NetWare 3 • It uses SPX/IPX which is incompatible with TCP/IP traffic. • It is difficult to synchronize servers with user information. • The file structure is local to individual servers. • Server architecture is flat and cannot be organized into a hierarchical structure (Bindery services). http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 NDS • Hierarchical server structure. • Network-wide users and groups. • Global objects. NDS integrates users, groups, printers, servers, volumes and other physical resources into a hierarchical tree structure. • System-wide login with a single password. This allows users to access resources which are connected to remote servers. • NDS processes logins between NetWare 3.1 and NetWare 4/5 servers, if the login names and passwords are the same. • Supports distributed file system. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 NDS (cont.) • Synchronization services. NDS allows for directory synchronization, which allows directories to be mirrored on different partitions or different servers. This provides increased reliability in that if a server develops a fault then the files on that server can be replicated by another server. • Standardized organizational structure for applications, printers, servers and services. This provides a common structure across different organizations. • It integrates most of the administrative tasks in Windows-based NWADMIN.EXE program. • It is a truly distributed system where the directory information can be distributed around the tree. • Support for NFS server for UNIX resources. • Multiple login scripts, as opposed to system and user login scripts in NetWare 3.1. • Windows NT support. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Organization Electrical Mechanical Root objects Production Administration Container objects BINS/VOL1 Q_LASER Containe objects CD_DISK SYS/VOL2 http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 [ROOT]. This is the top level of the inverted tree and contains all the objects within the organizational structure. Organization. This object class defines the organizational name (such as FRED_AND_CO). It is normally the next level after [ROOT] (or below the C=Country object). User. This object defines an individual user. The first user created in a NetWare 4 system is the ADMIN user, which is typically the only user with rights to add and delete objects on the whole of the NDS structure. NCP (NetWare Control Protocol) Server. This appears for all NetWare 4 servers. Volume. This identifies the mounted volume for file services. A network file system data links to the Directory tree through Volume objects. The most commonly used objects are: Bindery. These allow compatibility with existing Bindery-based NetWare 3, NetWare 3 clients and NetWare 4 servers which do not completely implement NDS. They display any object that isn’t a user, group, queue, profile or print server, which was created using the bindery services. Organizational unit. This object represents the OU part of the NDS tree. These divide the NDS tree into subdivisions, which can represent different geographical sites, different divisions or workgroups. Different divisions might be PRODUCTION, ACCOUNT, RESEARCH, and so on. Each Organizational Unit has its own login script. Organization role. This object represents a defined role within an organization object. It is thus easy to identify users who have an administrative role within the organization. Group. This object represents a grouping of users. All users within a group inherit the same access rights. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Directory map. This object points to a file system directory on a mounted volume. It is typically used to create a global file system which has physically separate parts. Alias. This identifies an object with another name. For example, a print queue which is called NET_PRINT1 might have an alias name of HP _LASER_JET_6. Printer. This can either be connected to the printer port of a PC, or connected to a NetWare server. Print queue. This object represents the queue of print jobs. Profile. This object defines a special scripting file. This can be a global login script, a location login script or a special login script. Print server. This object allows print jobs to be queued, waiting to be serviced by the associated printer. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 • [ROOT]. This is the top level of the tree. The top of the NDS tree is the [ROOT] object. • C=Country. This object can be used, or not, to represent different countries, typically where an organization is distributed over two or more countries. If it is used then it must be placed below the [ROOT] object. NDS normally does not use the Country object and uses the Organization Unit to define the geographically located sites, such as SALES_UK.[ROOT], SALES_USA.[ROOT], and so on. • L=Locality. This object defines locations within other objects, and identifies network portions. The Country and Locality objects are included in the X.500 specification, but they are not normally used, because many NetWare 4 utilities do not recognize it. When used, it must be placed below the [Root] object, Country object, Organization object, or Organizational Unit object. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Leaf Objects (CN - Common Name) Apart from the container objects (C, O, OU, and so on) there are leaf objects. These are assigned a CN (for Common Name). They include: CN=AFP Server CN=Bindery CN=Bindery Queue CN=Computer CN=Directory Map CN=Group CN=Organizational Role CN=Print Queue CN=Print Server CN=Printer CN=Profile CN=Server CN=User CN=Volume http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 [ROOT] O=Organization (such as: O=FRED_ANDCO) OU=Organizational Unit (such as: OU=TEST) OU=Organizational Unit (such as: OU=SALES) User1 Groups User2 Print Queues Printer Printer Server http://www.soc.napier.ac.uk/~bill/nos.html Volumes bill@napier, 2002 • LP=Licensed Product. This object is automatically created when a license certificate is installed. When used, it must be placed below the [Root] object, Country object, Organization object, or Organizational Unit object. • O=Organization. This object represents the name of the organization, a company division or a department. Each NDS Directory tree has at least one Organization object, and it must be placed below the [Root] object (unless the tree uses the Country or Locality object). • OU=Organization Unit. This object normally represents the name of the organizational unit within the organization, such as Production, Accounts, and so on. At this level, User objects can be added and a system level login script is created. It is normally placed below the Organizational object. http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Secondary server Primary server NIC MSL adapter Duplexed traffic MSL adapter NIC Network connections http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Remote access to network PPP/SLIP Remote access connection Remote access server http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 PPTP PPTP Virtual flow PPTP encapsulates the required protocol (TCP/IP, IPX, AppleTalk, NETBEUI) Remote access server Virtual Private Network http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 IP IPX IP IPX IP IPX IP IPX IP IPX IP IPX IPCP PPP IPXCP ACP IPCP IPXCP Network layer ACP NCP NCP Authentication and LCP Authentication and LCP Asynchronous/synchronous media Asynchronous/synchronous media PPP trailer IP Data link layer PPP header http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Flag (01111110) 1 byte Address (11111111) 1 byte Control (00000011) Protocol Data FCS 1 byte 2 bytes variable 2 or 4 bytes Network protocols: 0021h – IP 0029h – Appletalk 002bh – Novell IPX Flag (01111110) 1 byte Network Control Protocols: 8021h – IP Control Protocol 8029h – Appletalk Control Protocol 802bh – Novell IPX Control Protocol Link Control Protocols: C021h – Link Control Protocol C023h – PAP C025h – Link Quality Report C223h – CHAP http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 2 or 4 bytes 2 bytes Flag (01111110) Address (11111111) Control (00000011) 1 byte 1 byte 1 byte Code Protocol (C021h - LCP ) FCS Flag (01111110) 1 byte Identifier Length 1 Configure-Request 2 Configure-Ack 3 Configure-Nak 4 Configure-Reject 5 Terminate-Request 6 Terminate-Ack 7 Code-Reject 8 Protocol-Reject 9 Echo-Request 10 Echo-Reply http://www.soc.napier.ac.uk/~bill/nos.html Data bill@napier, 2002 Network connection Client Server LCP AND NCP packets • Link establishment phase • Link quality phase • Network-layer protocol phase • Link termination phase http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 Network Hostname; remotenode Password; pass 1 “Remotenode pass 1” Accept/reject http://www.soc.napier.ac.uk/~bill/nos.html Password sent with clear text bill@napier, 2002 Client Server Hostname; remotenode Password; pass 1 Challenge Response Accept/reject http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 RCR sta Tut Closed str Closing Open Close Opened sca RCN,TO + scn Req-sent RCA RCR+ TO+ RCR- RCN,TO + scr Ack-Rcvd RCA scn Ack-Sent sca RCR+ RCR- http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002 LCP configuration packets Link Dead Phase Up Link Establishment Phase Opened Authentication Phase Fail Fail Success/ none Down Link Terminatation Phase Closing NetworkLayer Protocol Phase NCP packets http://www.soc.napier.ac.uk/~bill/nos.html bill@napier, 2002
