fall 2002cs 395: computer security1 networking tutorial ip routing tcp dns

Fall 2002 CS 395: Computer Security 1

Networking Tutorial

IPRouting

TCPDNS


IP Internet

• Concatenation of NetworksNote Hn denotes host,Rn denotes router.


IP Internet

• Protocol Stack

R1

ETH FDDI

IPIP

ETH

TCP R2

FDDI PPP

IP

R3

PPP ETH

IP

H1

IP

ETH

TCP

H8


Service Model

• Connectionless (datagram-based)– So each packet must be “self-contained”

• Best-effort delivery (unreliable service)– packets are lost– packets are delivered out of order– duplicate copies of a packet are delivered (?!)– packets can be delayed for a long time


Why?!• Best Effort service model is as simple a model as

you could want, and this is a strong point!– If you provide best effort service over a network

technology that provides reliable delivery, you’re fine– If you provide reliable delivery over a network

technology that is unreliable, then you’ve got a problem: you need lots of extra functionality in the routers to handle the network deficiencies, and keeping the routers as simple as possible was an IP design goal. (Why?)

• Note: IP today runs over many technologies that were not in existence when IP was invented!


IP Datagram Format

V ersion HLen TOS Length

Ident Flags Offset

TTL Protocol Checksum

SourceAddr

DestinationAddr

Options (variable) Pad(variable)

0 4 8 16 19 31

Data

In 32 bit wordsIn bytes

Note: fieldsaligned on32 bit boundaries


Fields

• Version: note placement at front of packet (why?)• Header Length: in 32 bit words (20 bytes when no

options)• Type of service: later• Length: of entire packet in bytes (note max of

65,535 bytes because of 16 bit length field)• Ident, flags, offset all deal with fragmentation• Time to live: first seconds, but evolved to be hop

count


Fields• Protocol: demux key specifying higher level

protocol that gets datagram• Checksum: • Src, dest address: pretty clear (and these are

unique!)• Options: rare, but complete IP implementation

must handle them all! Presence determined by header length field


Fragmentation and Reassembly

• Each network has some MTU (why?)• Ident field: chosen by sending host, intended to be

unique among all datagrams that might be received at this dest from this source over reasonable time period.– All fragments keep this same ident value

• Offset: specifies 8 bytes chunk of data (why?)• Flags: M is “more” flag


Example

H1 R1 R2 R3 H8

ETH IP (1400) FDDI IP (1400) PPP IP (512)

PPP IP (376)

PPP IP (512)

ETH IP (512)

ETH IP (376)

ETH IP (512)

Ident = x Offset = 0

Start of header

0

Rest of header

1400 data bytes


Start of header

1

Rest of header

512 data bytes


Start of header

1

Rest of header

512 data bytes


Start of header

0

Rest of header

376 data bytes

MTU 532 bytes

Note: fragmentation can occurat multiple hops!


Global Addresses• Properties

– globally unique (don’t want anyone with my phone #)– hierarchical: network + host (really interface)

• Dot Notation– 10.3.2.4– 128.96.33.81– 192.12.69.77

Network Host

7 24

0A:

Network Host

14 16

1 0B:

Network Host

21 8

1 1 0C:


IP Internet Note Hn denotes host,Rn denotes router.

Routers need twoIP addresses.All hosts on same

network have samenetwork part ofIP address


Terminology

• Routing Mechanism: How a router selects the link over which to forward a packet

• Routing Protocol: Policies that determine what is placed in the routing tables.

These are not the same thing!


Datagram Forwarding • Strategy

– every datagram contains destination’s address– if directly connected to destination network, then forward to host– if not directly connected to destination network, then forward to

some router– forwarding table maps network number into next hop– each host has a default router– each router maintains a forwarding table

• Example (R2) Network Number Next Hop 1 R3 2 R1 3 interface 1 4 interface 0


Recall:

R2

R1

H4

H5

H3H2H1

Network 2 (Ethernet)

Network 1 (Ethernet)

H6

Network 3 (FDDI)

Network 4(point-to-point)

H7 R3 H8


Address Translation

• Map IP addresses into physical addresses• ARP

– table of IP to physical address bindings– broadcast request if IP address not in table– target machine responds with its physical address


Internet Control Message Protocol (ICMP)

• Communicates error messages and other conditions that require attention

• ICMP messages are acted on by either the IP layer or higher layers (TCP or UDP).

• Transmitted within IP datagrams

type checksumcode

Contents depends on type and code

0 1587 16 31


ICMP (cont.)

• 15 different values for the type field, then several codes for each of the types

• Checksum computed same as for IP packet• Complete specification of protocol is RFC 792

(Postel)• Another good source is TCP/IP Illustrated, Vol. 1,

Ch. 6


Types of ICMP Messages

• Echo (ping)• Redirect (from router to source host)• Destination unreachable (protocol, port, or host)• TTL exceeded (so datagrams don’t cycle forever)• Checksum failed • Reassembly failed• Cannot fragment


Routing


Give Credit:

• Many of the figures I’ve used in this set of slides here are from the Prentice-Hall text “Computer Networks” (3rd Edition), by Andrew Tanenbaum.


Overview

• Forwarding vs Routing– forwarding: to select an output port based on

destination address and routing table– routing: process by which routing table is built– Routing table optimized for tracking changes in

topology and calculating “best” routes.• Problem: Find lowest cost path between two nodes• Key question (as always): Will our solution scale?

– Answer: No! (At least not the first things we examine)


Overview• Network as a Graph

• Nodes represent networks• Edges represent costs

• Factors– static: topology– dynamic: load

4

36

21

9

1

1D

A

FE

B

C


Terminology

• Routing domain: internetwork in which all routers under same administrative control– Small to midsized networks, e.g. university campus– Use intradomain routing protocols (interior gateway

protocols (IGP))– Convergence: process of getting consistent routing

information to all nodes

Internet uses interdomain routing protocols


Distance Vector (RIP, Bellman-Ford)• Each node maintains a set of triples

– (Destination, Cost, NextHop)

• Exchange updates directly connected neighbors– periodically ( on the order of several seconds)– whenever its table changes (triggered update)(?!)

• Each update is a list of pairs:– (Destination, Cost)

• Update local table if receive a “better” route– smaller cost

• Refresh existing routes; delete if they time out


Link-State (OSPF)• Strategy

– send to all nodes (not just neighbors) information about directly connected links (not entire routing table)

• Link State Packet (LSP)– id of the node that created the LSP– cost of the link to each directly connected neighbor– sequence number (SEQNO)– time-to-live (TTL) for this packet

• Uses reliable flooding• Dijkstra’s shortest path algorithm


Open Shortest Path First (OSPF)

• Typical link-state but with enhancements– Authentication of routing messages– Additional hierarchy (to help with scalability)– Load balancing


Internet Structure

• Autonomous system (AS)– Administered Independently of other ASs– Want to be able to control various ways in which

network is configured, used, etc.• Select their own intranetwork routing protocol• Perhaps select own link metrics, etc.

• Advantageous because it provides finer hierarchy– Good for scalability


Interdomain Routing• Much more difficult than intradomain routing

– Scale: Internet backbone router has 50,000+ prefixes– Impossible to calculate path costs: Different ASs mean

different link-state metrics which may not be comparable.

• Focus is on reachability, not optimality, and this is plenty difficult all by itself

– Trust: If you trust another AS, you trust their routing advertisements and their network system configuration info.


Route Propagation• Know a smarter router

– hosts know local router (on same physical network)

– local routers know how to get to border router (and to each other)

– Regional ISP routers know how to get to its customers, and also to a border (gateway) router to a backbone provider

– Backbone (core) routers know everything (or at least how to get what they need)


BGP-4: Border Gateway Protocol

• Much more complicated than anything we want to deal with here (though I’m happy to provide details if you’d like to know them).

Fall 2002 32

BGP-4: Border Gateway Protocol

Border routers


BGP Example• Speaker for AS2 advertises reachability to P and Q

– network 128.96, 192.4.153, 192.4.32, and 192.4.3, can be reached directly from AS2

• Speaker for backbone advertises– networks 128.96, 192.4.153, 192.4.32, and 192.4.3 can be reached along

the path (AS1, AS2).• Speaker can cancel previously advertised paths

Backbone network(AS 1)

Regional provider A(AS 2)

Regional provider B(AS 3)

Customer P(AS 4)

Customer Q(AS 5)

Customer R(AS 6)

Customer S(AS 7)

128.96192.4.153

192.4.32192.4.3

192.12.69

192.4.54192.4.23

Transit networks

stubs


Integrating Intra and Inter

• Stub AS (very common): border router “injects” default route into intradomain protocol

• Non-stub, but non backbone: Border routers inject learned (either through BGP or static config) info into intradomain protocol

• Backbone: IBGP (interior BGP): Too much info to inject into traditional intradomain protocol (10,000 prefixes = > big LSP + complex shortest path info). Traditional intradomain + protocols for querying border routers.


Reliable Byte-Stream (TCP)


End-to-End Protocols• Underlying best-effort network

– drops messages– re-orders messages– delivers duplicate copies of a given message– limits messages to some finite size– delivers messages after an arbitrarily long delay

• Common end-to-end services– guarantee message delivery– deliver messages in the same order they are sent– deliver at most one copy of each message– support arbitrarily large messages– support synchronization (between sender and receiver)– allow the receiver to flow control the sender– support multiple application processes on each host


TCP Overview

• Connection-oriented• Byte-stream

– app writes bytes– TCP sends segments– app reads bytes

Application process

Writebytes

TCPSend buffer

Segment Segment Segment

Transmit segments

Application process

Readbytes

TCPReceive buffer

…

… …

• Full duplex• Flow control: keep sender from

overrunning receiver• Congestion control: keep sender

from overrunning network


Acks and Timeouts• Acknowledgement (ACK)

– Small frame sent to peer indicating receipt of frame– No data– Piggybacking

• Timeout– If ACK not received within reasonable time, original

frame is retransmitted• Automatic Repeat Request (ARQ)

– General strategy of using ACKS and timeouts to implement reliable delivery


Segment Format

Options (variable)

Data

Checksum

SrcPort DstPort

HdrLen 0 Flags

UrgPtr

AdvertisedWindow

SequenceNum

Acknowledgment

0 4 10 16 31


Segment Format (cont)• Each connection identified with 4-tuple:

– (SrcPort, SrcIPAddr, DsrPort, DstIPAddr)• Sliding window + flow control

– acknowledgment, SequenceNum, AdvertisedWinow

• Flags– SYN, FIN, RESET, PUSH, URG, ACK

• Checksum– pseudo header + TCP header + data

Sender

Data (SequenceNum)

Acknowledgment +AdvertisedWindow

Receiver


Connection Establishment and Termination

Active participant(client)

Passive participant(server)

SYN, SequenceNum = x

SYN + ACK, SequenceNum = y,

ACK, Acknowledgment = y + 1

Acknowledgment = x + 1

Note: SequenceNumcontains the sequencenumber of the first data byte containedin the segment. ACKfield always gives thesequence number ofthe next data byte expected. (Except forthe SYN segments)


State Transition DiagramCLOSED

LISTEN

SYN_RCVD SYN_SENT

ESTABLISHED

CLOSE_WAIT

LAST_ACKCLOSING

TIME_WAIT

FIN_WAIT_2

FIN_WAIT_1

Passive open Close

Send/SYNSYN/SYN + ACK

SYN + ACK/ACK

SYN/SYN + ACK

ACK

Close/FIN

FIN/ACKClose/FIN

FIN/ACKACK + FIN/ACK Timeout after two segment lifetimes

FIN/ACKACK

ACK

ACK

Close/FIN

Close

CLOSED

Active open/SYN

Openingconnection

Closingconnection

event/action


Name Service (DNS)


In The Beginning…

• Network Information Center (NIC) maintained a flat table of name-to-address bindings (called hosts.txt)

• To add host to Internet, email NIC with new name/address pair, which NIC manually added to table

• Modified table was mailed to every site every few days; sysadmins installed hosts.txt on every host


Domain Name System (DNS)• Went online in mid 1980s• Hierarchical name space

– Names processes from right to left (though humans read them from left to right) with periods as field separators

– Ex. cleopatra.richmond.edu

edu com

princeton … mit

cs ee

ux01 ux04

physics

cisco … yahoo nasa … nsf arpa … navy acm … ieee

gov mil org net uk fr


Domain Name System (DNS)• Distributed database of domain name bindings

– Each site (university department, campus, company, etc.) maintains its own part of database, along with a server

– Mapping is not necessarily host name to address• Apps presented with host names query DNS to find

address– Accessed through a resolver, which in Unix is primarily

reached via gethostbyname() and gethostbyaddress()– resolver opens UDP connection to pass name service

packets (IP address of server(s) in /etc/resolve.conf)– resolver is not part of TCP implementation (or kernel)


Example

Nameserver

Mailprogram

User

TCP

IP

2cs.princeton.edu

192.12.69.53

user @ cs.princeton.edu1

192.12.69.5 4

192.12.69.5 5


DNS Implementation• Partition hierarchy into zones

edu com

princeton … mit

cs ee

ux01 ux04

physics

cisco … yahoo nasa … nsf arpa … navy acm … ieee

gov mil org net uk fr

• Zones correspond to administrative authority (NIC gets top)– Each zone implemented by two or more name servers

• Primary: get its info from disk files• Secondary: get their info from the primary (called a zone-transfer)


DNS Implementation (cont.)

• DNS is really a hierarchy of name servers, rather than hierarchy of domains

• Servers respond either with info requested or with IP address of another name server• All primary servers must know IP addresses of all root servers

Rootname server

Princetonname server

Cisconame server

CSname server

EEname server

…

…


Name Resolution• Client sends request to a root server for cleopatra.mathcs.richmond.edu

• Root server returns the best info it has, which includes all information relating to richmond.edu (which should contain the name and address of a richmond.edu name server)

• Client queries richmond.edu name server, which returns name and address of mathcs.richmond.edu name server

• Client queries mathcs.richmond.edu name server and gets IP address of cleopatra.mathcs.richmond.edu


How It Really Works• Client queries local name server, and name server

goes through resolution process on client’s behalf– Hosts must be configured with address of local name

server– Only local name server needs to know addresses of root

server(s)– Local server sees all DNS responses, and can thus

cache these (removing record when TTL expires)• Partial names (e.g. cleopatra): client program

is configured with local domain and appends this to incomplete names before query


ExampleRootnameserver

Princetonnameserver

CSnameserver

Localnameserver

Client

1cicada.cs.princeton.edu

192.12.69.608

cicada.cs.princeton.edu

princeton.edu, 128.196.128.233


cicada.cs.princeton.edu,

192.12.69.60


cs.princeton.edu, 192.12.69.5

2

3

4

5

6

7

fall 2002cs 395: computer security1 networking tutorial ip routing tcp dns

Documents