fall 2002cs 395: computer security1 networking tutorial ip routing tcp dns
DESCRIPTION
Fall 2002CS 395: Computer Security3 IP Internet Protocol Stack R1 ETH FDDI IP ETH TCP R2 FDDI PPP IP R3 PPP ETH IP H1 IP ETH TCP H8TRANSCRIPT
Fall 2002 CS 395: Computer Security 1
Networking Tutorial
IPRouting
TCPDNS
Fall 2002 CS 395: Computer Security 2
IP Internet
• Concatenation of NetworksNote Hn denotes host,Rn denotes router.
Fall 2002 CS 395: Computer Security 3
IP Internet
• Protocol Stack
R1
ETH FDDI
IPIP
ETH
TCP R2
FDDI PPP
IP
R3
PPP ETH
IP
H1
IP
ETH
TCP
H8
Fall 2002 CS 395: Computer Security 4
Service Model
• Connectionless (datagram-based)– So each packet must be “self-contained”
• Best-effort delivery (unreliable service)– packets are lost– packets are delivered out of order– duplicate copies of a packet are delivered (?!)– packets can be delayed for a long time
Fall 2002 CS 395: Computer Security 5
Why?!• Best Effort service model is as simple a model as
you could want, and this is a strong point!– If you provide best effort service over a network
technology that provides reliable delivery, you’re fine– If you provide reliable delivery over a network
technology that is unreliable, then you’ve got a problem: you need lots of extra functionality in the routers to handle the network deficiencies, and keeping the routers as simple as possible was an IP design goal. (Why?)
• Note: IP today runs over many technologies that were not in existence when IP was invented!
Fall 2002 CS 395: Computer Security 6
IP Datagram Format
V ersion HLen TOS Length
Ident Flags Offset
TTL Protocol Checksum
SourceAddr
DestinationAddr
Options (variable) Pad(variable)
0 4 8 16 19 31
Data
In 32 bit wordsIn bytes
Note: fieldsaligned on32 bit boundaries
Fall 2002 CS 395: Computer Security 7
Fields
• Version: note placement at front of packet (why?)• Header Length: in 32 bit words (20 bytes when no
options)• Type of service: later• Length: of entire packet in bytes (note max of
65,535 bytes because of 16 bit length field)• Ident, flags, offset all deal with fragmentation• Time to live: first seconds, but evolved to be hop
count
Fall 2002 CS 395: Computer Security 8
Fields• Protocol: demux key specifying higher level
protocol that gets datagram• Checksum: • Src, dest address: pretty clear (and these are
unique!)• Options: rare, but complete IP implementation
must handle them all! Presence determined by header length field
Fall 2002 CS 395: Computer Security 9
Fragmentation and Reassembly
• Each network has some MTU (why?)• Ident field: chosen by sending host, intended to be
unique among all datagrams that might be received at this dest from this source over reasonable time period.– All fragments keep this same ident value
• Offset: specifies 8 bytes chunk of data (why?)• Flags: M is “more” flag
Fall 2002 CS 395: Computer Security 10
Example
H1 R1 R2 R3 H8
ETH IP (1400) FDDI IP (1400) PPP IP (512)
PPP IP (376)
PPP IP (512)
ETH IP (512)
ETH IP (376)
ETH IP (512)
Ident = x Offset = 0
Start of header
0
Rest of header
1400 data bytes
Ident = x Offset = 0
Start of header
1
Rest of header
512 data bytes
Ident = x Offset = 512
Start of header
1
Rest of header
512 data bytes
Ident = x Offset = 1024
Start of header
0
Rest of header
376 data bytes
MTU 532 bytes
Note: fragmentation can occurat multiple hops!
Fall 2002 CS 395: Computer Security 11
Global Addresses• Properties
– globally unique (don’t want anyone with my phone #)– hierarchical: network + host (really interface)
• Dot Notation– 10.3.2.4– 128.96.33.81– 192.12.69.77
Network Host
7 24
0A:
Network Host
14 16
1 0B:
Network Host
21 8
1 1 0C:
Fall 2002 CS 395: Computer Security 12
IP Internet Note Hn denotes host,Rn denotes router.
Routers need twoIP addresses.All hosts on same
network have samenetwork part ofIP address
Fall 2002 CS 395: Computer Security 13
Terminology
• Routing Mechanism: How a router selects the link over which to forward a packet
• Routing Protocol: Policies that determine what is placed in the routing tables.
These are not the same thing!
Fall 2002 CS 395: Computer Security 14
Datagram Forwarding • Strategy
– every datagram contains destination’s address– if directly connected to destination network, then forward to host– if not directly connected to destination network, then forward to
some router– forwarding table maps network number into next hop– each host has a default router– each router maintains a forwarding table
• Example (R2) Network Number Next Hop 1 R3 2 R1 3 interface 1 4 interface 0
Fall 2002 CS 395: Computer Security 15
Recall:
R2
R1
H4
H5
H3H2H1
Network 2 (Ethernet)
Network 1 (Ethernet)
H6
Network 3 (FDDI)
Network 4(point-to-point)
H7 R3 H8
Fall 2002 CS 395: Computer Security 16
Address Translation
• Map IP addresses into physical addresses• ARP
– table of IP to physical address bindings– broadcast request if IP address not in table– target machine responds with its physical address
Fall 2002 CS 395: Computer Security 17
Internet Control Message Protocol (ICMP)
• Communicates error messages and other conditions that require attention
• ICMP messages are acted on by either the IP layer or higher layers (TCP or UDP).
• Transmitted within IP datagrams
type checksumcode
Contents depends on type and code
0 1587 16 31
Fall 2002 CS 395: Computer Security 18
ICMP (cont.)
• 15 different values for the type field, then several codes for each of the types
• Checksum computed same as for IP packet• Complete specification of protocol is RFC 792
(Postel)• Another good source is TCP/IP Illustrated, Vol. 1,
Ch. 6
Fall 2002 CS 395: Computer Security 19
Types of ICMP Messages
• Echo (ping)• Redirect (from router to source host)• Destination unreachable (protocol, port, or host)• TTL exceeded (so datagrams don’t cycle forever)• Checksum failed • Reassembly failed• Cannot fragment
Fall 2002 CS 395: Computer Security 20
Routing
Fall 2002 CS 395: Computer Security 21
Give Credit:
• Many of the figures I’ve used in this set of slides here are from the Prentice-Hall text “Computer Networks” (3rd Edition), by Andrew Tanenbaum.
Fall 2002 CS 395: Computer Security 22
Overview
• Forwarding vs Routing– forwarding: to select an output port based on
destination address and routing table– routing: process by which routing table is built– Routing table optimized for tracking changes in
topology and calculating “best” routes.• Problem: Find lowest cost path between two nodes• Key question (as always): Will our solution scale?
– Answer: No! (At least not the first things we examine)
Fall 2002 CS 395: Computer Security 23
Overview• Network as a Graph
• Nodes represent networks• Edges represent costs
• Factors– static: topology– dynamic: load
4
36
21
9
1
1D
A
FE
B
C
Fall 2002 CS 395: Computer Security 24
Terminology
• Routing domain: internetwork in which all routers under same administrative control– Small to midsized networks, e.g. university campus– Use intradomain routing protocols (interior gateway
protocols (IGP))– Convergence: process of getting consistent routing
information to all nodes
Internet uses interdomain routing protocols
Fall 2002 CS 395: Computer Security 25
Distance Vector (RIP, Bellman-Ford)• Each node maintains a set of triples
– (Destination, Cost, NextHop)
• Exchange updates directly connected neighbors– periodically ( on the order of several seconds)– whenever its table changes (triggered update)(?!)
• Each update is a list of pairs:– (Destination, Cost)
• Update local table if receive a “better” route– smaller cost
• Refresh existing routes; delete if they time out
Fall 2002 CS 395: Computer Security 26
Link-State (OSPF)• Strategy
– send to all nodes (not just neighbors) information about directly connected links (not entire routing table)
• Link State Packet (LSP)– id of the node that created the LSP– cost of the link to each directly connected neighbor– sequence number (SEQNO)– time-to-live (TTL) for this packet
• Uses reliable flooding• Dijkstra’s shortest path algorithm
Fall 2002 CS 395: Computer Security 27
Open Shortest Path First (OSPF)
• Typical link-state but with enhancements– Authentication of routing messages– Additional hierarchy (to help with scalability)– Load balancing
Fall 2002 CS 395: Computer Security 28
Internet Structure
• Autonomous system (AS)– Administered Independently of other ASs– Want to be able to control various ways in which
network is configured, used, etc.• Select their own intranetwork routing protocol• Perhaps select own link metrics, etc.
• Advantageous because it provides finer hierarchy– Good for scalability
Fall 2002 CS 395: Computer Security 29
Interdomain Routing• Much more difficult than intradomain routing
– Scale: Internet backbone router has 50,000+ prefixes– Impossible to calculate path costs: Different ASs mean
different link-state metrics which may not be comparable.
• Focus is on reachability, not optimality, and this is plenty difficult all by itself
– Trust: If you trust another AS, you trust their routing advertisements and their network system configuration info.
Fall 2002 CS 395: Computer Security 30
Route Propagation• Know a smarter router
– hosts know local router (on same physical network)
– local routers know how to get to border router (and to each other)
– Regional ISP routers know how to get to its customers, and also to a border (gateway) router to a backbone provider
– Backbone (core) routers know everything (or at least how to get what they need)
Fall 2002 CS 395: Computer Security 31
BGP-4: Border Gateway Protocol
• Much more complicated than anything we want to deal with here (though I’m happy to provide details if you’d like to know them).
Fall 2002 32
BGP-4: Border Gateway Protocol
Border routers
Fall 2002 CS 395: Computer Security 33
BGP Example• Speaker for AS2 advertises reachability to P and Q
– network 128.96, 192.4.153, 192.4.32, and 192.4.3, can be reached directly from AS2
• Speaker for backbone advertises– networks 128.96, 192.4.153, 192.4.32, and 192.4.3 can be reached along
the path (AS1, AS2).• Speaker can cancel previously advertised paths
Backbone network(AS 1)
Regional provider A(AS 2)
Regional provider B(AS 3)
Customer P(AS 4)
Customer Q(AS 5)
Customer R(AS 6)
Customer S(AS 7)
128.96192.4.153
192.4.32192.4.3
192.12.69
192.4.54192.4.23
Transit networks
stubs
Fall 2002 CS 395: Computer Security 34
Integrating Intra and Inter
• Stub AS (very common): border router “injects” default route into intradomain protocol
• Non-stub, but non backbone: Border routers inject learned (either through BGP or static config) info into intradomain protocol
• Backbone: IBGP (interior BGP): Too much info to inject into traditional intradomain protocol (10,000 prefixes = > big LSP + complex shortest path info). Traditional intradomain + protocols for querying border routers.
Fall 2002 CS 395: Computer Security 35
Reliable Byte-Stream (TCP)
Fall 2002 CS 395: Computer Security 36
End-to-End Protocols• Underlying best-effort network
– drops messages– re-orders messages– delivers duplicate copies of a given message– limits messages to some finite size– delivers messages after an arbitrarily long delay
• Common end-to-end services– guarantee message delivery– deliver messages in the same order they are sent– deliver at most one copy of each message– support arbitrarily large messages– support synchronization (between sender and receiver)– allow the receiver to flow control the sender– support multiple application processes on each host
Fall 2002 CS 395: Computer Security 37
TCP Overview
• Connection-oriented• Byte-stream
– app writes bytes– TCP sends segments– app reads bytes
Application process
Writebytes
TCPSend buffer
Segment Segment Segment
Transmit segments
Application process
Readbytes
TCPReceive buffer
…
… …
• Full duplex• Flow control: keep sender from
overrunning receiver• Congestion control: keep sender
from overrunning network
Fall 2002 CS 395: Computer Security 38
Acks and Timeouts• Acknowledgement (ACK)
– Small frame sent to peer indicating receipt of frame– No data– Piggybacking
• Timeout– If ACK not received within reasonable time, original
frame is retransmitted• Automatic Repeat Request (ARQ)
– General strategy of using ACKS and timeouts to implement reliable delivery
Fall 2002 CS 395: Computer Security 39
Segment Format
Options (variable)
Data
Checksum
SrcPort DstPort
HdrLen 0 Flags
UrgPtr
AdvertisedWindow
SequenceNum
Acknowledgment
0 4 10 16 31
Fall 2002 CS 395: Computer Security 40
Segment Format (cont)• Each connection identified with 4-tuple:
– (SrcPort, SrcIPAddr, DsrPort, DstIPAddr)• Sliding window + flow control
– acknowledgment, SequenceNum, AdvertisedWinow
• Flags– SYN, FIN, RESET, PUSH, URG, ACK
• Checksum– pseudo header + TCP header + data
Sender
Data (SequenceNum)
Acknowledgment +AdvertisedWindow
Receiver
Fall 2002 CS 395: Computer Security 41
Connection Establishment and Termination
Active participant(client)
Passive participant(server)
SYN, SequenceNum = x
SYN + ACK, SequenceNum = y,
ACK, Acknowledgment = y + 1
Acknowledgment = x + 1
Note: SequenceNumcontains the sequencenumber of the first data byte containedin the segment. ACKfield always gives thesequence number ofthe next data byte expected. (Except forthe SYN segments)
Fall 2002 CS 395: Computer Security 42
State Transition DiagramCLOSED
LISTEN
SYN_RCVD SYN_SENT
ESTABLISHED
CLOSE_WAIT
LAST_ACKCLOSING
TIME_WAIT
FIN_WAIT_2
FIN_WAIT_1
Passive open Close
Send/SYNSYN/SYN + ACK
SYN + ACK/ACK
SYN/SYN + ACK
ACK
Close/FIN
FIN/ACKClose/FIN
FIN/ACKACK + FIN/ACK Timeout after two segment lifetimes
FIN/ACKACK
ACK
ACK
Close/FIN
Close
CLOSED
Active open/SYN
Openingconnection
Closingconnection
event/action
Fall 2002 CS 395: Computer Security 43
Name Service (DNS)
Fall 2002 CS 395: Computer Security 44
In The Beginning…
• Network Information Center (NIC) maintained a flat table of name-to-address bindings (called hosts.txt)
• To add host to Internet, email NIC with new name/address pair, which NIC manually added to table
• Modified table was mailed to every site every few days; sysadmins installed hosts.txt on every host
Fall 2002 CS 395: Computer Security 45
Domain Name System (DNS)• Went online in mid 1980s• Hierarchical name space
– Names processes from right to left (though humans read them from left to right) with periods as field separators
– Ex. cleopatra.richmond.edu
edu com
princeton … mit
cs ee
ux01 ux04
physics
cisco … yahoo nasa … nsf arpa … navy acm … ieee
gov mil org net uk fr
Fall 2002 CS 395: Computer Security 46
Domain Name System (DNS)• Distributed database of domain name bindings
– Each site (university department, campus, company, etc.) maintains its own part of database, along with a server
– Mapping is not necessarily host name to address• Apps presented with host names query DNS to find
address– Accessed through a resolver, which in Unix is primarily
reached via gethostbyname() and gethostbyaddress()– resolver opens UDP connection to pass name service
packets (IP address of server(s) in /etc/resolve.conf)– resolver is not part of TCP implementation (or kernel)
Fall 2002 CS 395: Computer Security 47
Example
Nameserver
Mailprogram
User
TCP
IP
2cs.princeton.edu
192.12.69.53
user @ cs.princeton.edu1
192.12.69.5 4
192.12.69.5 5
Fall 2002 CS 395: Computer Security 48
DNS Implementation• Partition hierarchy into zones
edu com
princeton … mit
cs ee
ux01 ux04
physics
cisco … yahoo nasa … nsf arpa … navy acm … ieee
gov mil org net uk fr
• Zones correspond to administrative authority (NIC gets top)– Each zone implemented by two or more name servers
• Primary: get its info from disk files• Secondary: get their info from the primary (called a zone-transfer)
Fall 2002 CS 395: Computer Security 49
DNS Implementation (cont.)
• DNS is really a hierarchy of name servers, rather than hierarchy of domains
• Servers respond either with info requested or with IP address of another name server• All primary servers must know IP addresses of all root servers
Rootname server
Princetonname server
Cisconame server
CSname server
EEname server
…
…
Fall 2002 CS 395: Computer Security 50
Name Resolution• Client sends request to a root server for cleopatra.mathcs.richmond.edu
• Root server returns the best info it has, which includes all information relating to richmond.edu (which should contain the name and address of a richmond.edu name server)
• Client queries richmond.edu name server, which returns name and address of mathcs.richmond.edu name server
• Client queries mathcs.richmond.edu name server and gets IP address of cleopatra.mathcs.richmond.edu
Fall 2002 CS 395: Computer Security 51
How It Really Works• Client queries local name server, and name server
goes through resolution process on client’s behalf– Hosts must be configured with address of local name
server– Only local name server needs to know addresses of root
server(s)– Local server sees all DNS responses, and can thus
cache these (removing record when TTL expires)• Partial names (e.g. cleopatra): client program
is configured with local domain and appends this to incomplete names before query
Fall 2002 CS 395: Computer Security 52
ExampleRootnameserver
Princetonnameserver
CSnameserver
Localnameserver
Client
1cicada.cs.princeton.edu
192.12.69.608
cicada.cs.princeton.edu
princeton.edu, 128.196.128.233
cicada.cs.princeton.edu
cicada.cs.princeton.edu,
192.12.69.60
cicada.cs.princeton.edu
cs.princeton.edu, 192.12.69.5
2
3
4
5
6
7