Transcript presentation

Networking 101
OSI Reference Model
Data
Header
Header
Header
OSI Reference Model
●
●
We're only going to look at the Transport Set
Transport - various protocols; most common are
TCP, UDP, and ICMP
●
Network - for us, this is IP (Internet Protocol)
●
Data - for us, this is ethernet
●
Physical - this is the actual hardware (cables,
hubs, switches, routers)
Ethernet
●
●
●
Each unit is called an ethernet frame
Each computer has a Medium Access Code, or
MAC address
3 parts of an ethernet frame that are important
to us:
–
Source and Destination addresses
●
●
–
Each are 6 bytes; usually represented in hex
example: 00:B0:D0:D8:98:FD
Data payload
●
Each frame can carry 46-1500 bytes of data
Internet Protocol (IP)
●
Each unit is called a packet
●
Source and Destination address
●
–
4 byte number, typically represented like 172.1.68.59
–
Could be represented like ethernet addresses as well
(172.1.68.59 would be AC:01:44:3B)
Protocol
–
A number representing the protocol used by the
transport layer (ex. 1=ICMP, 6=TCP, 17=UDP)
Internet Protocol (IP)
●
TTL (Time To Live)
–
This is the number of routers a packet can pass
through before being dropped
–
Each time a packet passes through a router, the router
decrements the TTL by 1
●
●
●
Prevents router loops
By setting it to 1, you can keep anything from leaving your
local network
Identification number
–
2 byte number used to identify the packet
Internet Protocol (IP)
●
Packet length
–
●
Can be from 20 to 65,535 bytes (this includes the
header length as well)
Fragmentation information
–
Remember, an ethernet frame can only carry 1500
bytes of data
–
If the IP packet is more than 1500 bytes long, the data
layer must chop the packet up in to fragments
●
Each fragment has the same identification number
Counting
(If you were asleep, you need to wake up now!)
Counting
●
●
●
●
●
When we use numbers, we use them in a certain
base
Typically, we use base-10 without even
specifying that is the base. It is just assumed.
Easiest for us because we have 10 fingers
However, computers only have 2 "fingers", so
they count much better in base-2 or binary
Binary numbers get really long really fast, so we
use base-16 or hexadecimal to simplify things
Counting
●
●
●
Remember back to when you were a little kid.
When someone asked you your age, you held up
your hand with a few fingers up and said "I'm this
many" – we're going to forget the names of
numbers for a few minutes
If you are counting with your fingers and you
need to count to 11, what do you do?
You count to 10, then start over, remembering
that you have already counted to 10 once.
Counting
●
Count to 21 in base-10
●
Count to 21 in base-8
●
Count to 21 in base-16
●
Count to 1111 in base-2
Counting
●
0000 - 0
●
1000 - 8
●
0001 - 1
●
1001 - 9
●
0010 - 2
●
1010 - A
●
0011 - 3
●
1011 - B
●
0100 - 4
●
1100 - C
●
0101 - 5
●
1101 - D
●
0110 - 6
●
1110 - E
●
0111 - 7
●
1111 – F
Logic
●
●
Used when you want to make a decision based on
some conditions
You might go buy lunch if you [are hungry] AND
[you have enough money to buy lunch]
●
[not hungry] AND [no money] -> don't get lunch
●
[not hungry] AND [money] -> don't get lunch
●
[hungry] AND [no money] -> don't get lunch
●
[hungry] AND [money] -> get lunch
Logic
●
You might take vacation time if you [need a break
from work] OR [for a special event] OR both
●
[no break] OR [no event] -> no vacation
●
[no break] OR [event] -> vacation
●
[break] OR [no event] -> vacation
●
[break] OR [event] -> vacation
●
Now, let's change the red items to 0's and the
green items to 1's...
Logic
Logical AND and OR
0 AND 0 = 0
0 OR 0 = 0
0 AND 1 = 0
0 OR 1 = 1
1 AND 0 = 0
1 OR 0 = 1
1 AND 1 = 1
1 OR 1 = 1
Logic
●
●
●
We just applied the AND and OR operators to a
single bit, but they can also be applied to a whole
byte, or even multiple bytes. This is called a
bitwise AND or bitwise OR
[1101 1001] AND [1111 1100] = ???? ????
You simply apply the operator to each column
seperately...
Logic
[ 1 1 0 1 1 0 0 1 ] AND
● [ 1 1 1 1 1 1 0 0 ] =
● [ 1 1 0 1 1 0 0 0 ]
●
0 AND 0 = 0
0 AND 1 = 0
1 AND 0 = 0
Counting and Logic
Any questions on counting or logic?
Addressing
●
What is an IP address?
●
Let's look at 172.1.68.107 as an example
●
●
Part of this is the network address and part of it
is the host address
First, we'll say
–
The network address is "172.1.68.0"
–
The host address is "107"
Masking
●
Have you ever used masking tape while painting?
●
Used as a cover to keep from seeing something
●
There is such a thing as masking with bits as well
●
●
In some situations, you may need to look at
certain bits in a binary number
To look at only those bits, you create another
binary number, called a mask and you perform a
bitwise AND of the number and the mask
Masking
●
●
●
●
Think back to our previous example of the bitwise
AND
Our first binary number was 1101 1001
Let's say that the first 6 digits are important to
us and we don't care about the last 2
If a digit is important, it means we want to know
if that digit is a 1 or 0. If we don't care about it,
it means it doesn't matter whether it is a 1 or 0
(we end up using a 0 as a placeholder for these
digits)
Masking
●
●
●
I realize it may seem silly to say we have to use a
mask to determine if a digit is a 1 or 0 since we
can simply tell by looking at it. But remember,
computers don't have eyes.
To create a mask, use a 1 for the digits that are
important, and use a 0 for the digits that are not
So, since we consider the first 6 digits to be
important and don't care about the last 2, we
would use 1111 1100
Masking
●
Reviewing our example of the bitwise AND, we
have
●
Our binary number: [1101 1001] AND
●
Our bitwise mask
[1111 1100] =
●
The answer!
[1101 1000]
●
This leads us to the subnet mask or netmask
●
A subnet mask is used to separate the network
address from the host address
Some Review
●
●
●
●
●
An IP address can also be represented like a
MAC address -- 172.1.68.107 would be
AC:01:44:6B
172.1.68.0 (or AC:01:44:00) is the network
address
107 (or 6B) is the host address
We use hexadecimal numbers to represent
binary numbers
Let's review that representation
Counting
●
0 - 0000
●
8 - 1000
●
1 - 0001
●
9 - 1001
●
2 - 0010
●
A - 1010
●
3 - 0011
●
B - 1011
●
4 - 0100
●
C - 1100
●
5 - 0101
●
D - 1101
●
6 - 0110
●
E - 1110
●
7 - 0111
●
F - 1111
Addressing
●
●
●
So, translating our hexadecimal IP address,
AC:01:44:6B, to binary form, we get
[0111 1111]:[0000 0001]:[0100 0100]:[0110 1011]
So, if we are only interested in the network
address, what would our subnet mask be?
●
[1111 1111]:[1111 1111]:[1111 1111]:[0000 0000]
●
Performing a bitwise AND, we get
●
[0111 1111]:[0000 0001]:[0100 0100]:[0000 0000]
Addressing
●
[0111 1111]:[0000 0001]:[0100 0100]:[0000 0000]
●
Translating this to hexadecimal, we get
●
AC:01:44:00 or in dotted decimal, 172.1.68.0
●
If our subnet mask was
[1111 1111]:[1111 1111]:[1111 1111]:[0000 0000]
in binary, what would it be in hexadecimal?
●
FF:FF:FF:00 or, in dotted decimal,
255.255.255.0
Addressing
●
However, what if we use 255.255.255.192 as the
subnet mask. What does that mean?
●
First, convert it to hexadecimal: FF:FF:FF:C0
●
Then, to binary:
[1111 1111]:[1111 1111]:[1111 1111]:[1100 0000]
●
If we use this as a subnet mask for our example IP
address, 172.1.68.107 (or AC:01:44:6B), we have
Addressing
●
AC:01:44:6B =
[0111 1111]:[0000 0001]:[0100 0100]:[0110 1011]
●
Subnet mask: FF:FF:FF:C0 =
[1111 1111]:[1111 1111]:[1111 1111]:[1100 0000]
●
Performing a bitwise AND gives us
[0111 1111]:[0000 0001]:[0100 0100]:[0100 0000]
●
Converting this to hexadecimal: AC:01:44:40
●
Now, in dotted decimal: 172.1.68.64
Addressing
●
●
●
●
Now, we have the network address for
172.1.68.107 when the subnet mask is
255.255.255.192 -> 172.1.68.64
So, what is a network address anyway?
All computers that have the same network
address are considered local to each other
Computers that are local to each other can send
data to each other directly. If they are not local,
they must "talk" through a router
Addressing
Any questions on addressing?
Hubs, Switches, and Routers
●
●
●
●
These are the main devices we hear about that
connect computers together
Each uses one more layer from the OSI reference
model than the previous one
Hubs and switches perform a similar function;
switches are just more intelligent
Routers perform a different function than hubs
and switches
Hubs
●
Function at the physical layer (layer 1) of the OSI
model
●
No intelligence - doesn't look at any data
●
All traffic is sent to every port
Hubs
●
●
The medium is shared by all the connected
computers
Kind of like an intercom system
–
Only one person can talk at a time
–
Everyone else hears what the person said
–
If the person speaking is not talking to you, you just
ignore them (unless you want to eavesdrop on what is
said)
–
When two people talk at the same time, the message
is garbled and each of you has to try again
●
This is called a collision
Hubs - Pros
●
Good for troubleshooting
–
Remember the part about eavesdropping with an
intercom system?
–
You can use a network traffic "sniffer" to "hear" what
the other computers on the hub are saying even if they
are not talking specifically to you
●
tcpdump, ethereal
Hubs - Cons
●
Don't scale well
–
Remember only 1 computer can talk at a time
●
●
●
If 100 computers are connected together, each one will
have to wait a lot longer to talk than if only 10 computers
were connected together
Therefore, more computers mean more collisions
No computer can talk and listen at the same time
–
This is called half duplex
–
Duplex - the ability to communicate simultaneously
in 2 directions
Switches
●
●
●
Function at the data layer (layer 2) of the OSI
model
More like a telephone system than an intercom
system
–
Telephones allow you to talk directly to another
person without anyone else listening
–
Allows you to talk and listen at the same time
Full Duplex
Switches
●
More secure
–
●
Scale better
–
●
Only sends data to desired recipient
Because the medium is not shared by all computers,
more than one can talk at a time
Intelligent
–
Keeps a table of which MAC addresses are connected
to which ports (lookup table)
Switches
●
How do they keep track of who is on which port?
–
Each ethernet frame has a source and destination
address
–
When a computer sends some data, the switch looks
at the source address and adds it to its list of
computers on that port
–
If it doesn't have the destination port in its table
anywhere, it sends the packet to all ports (except the
one the packet come in on)
–
Entries in the table expire (are erased) after some
amount of time (5 to 30 minutes)
Routers
●
●
●
A router is simply a computer (or network
device) that is part of multiple subnets that
knows how to relay data between the different
subnets
Normally, the router has a separate network
interface to each of the networks
It uses a routing table to keep track of which
subnet each interface is connected to
Routing
●
Here is a sample routing table
Destination
172.1.68.0
172.1.68.64
172.1.68.128
172.1.68.192
172.1.15.39
0.0.0.0
Gateway
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
172.1.15.1
Mask
255.255.255.192
255.255.255.192
255.255.255.192
255.255.255.192
255.255.255.0
0.0.0.0
Interface
Eth1
Eth2
Eth3
Eth4
Eth0
Eth0
0.0.0.0 is the default route. Any traffic with a destination
address not in the routing table gets sent out this interface.
Hubs, Switches, and Routers
Any questions on hubs, switches or
routers?
Where IP and Ethernet Meet
●
●
●
Remember that IP and ethernet are on different
layers of the OSI Reference Model
Once a computer knows the IP address of another
computer with which it wants to communicate, it
needs to figure out the other computer's ethernet
(or MAC) address (if it is local)
It uses the address resolution protocol to do this
Address Resolution Protocol (ARP)
●
●
●
Computers use ARP to map MAC addresses to IP
addresses
If 172.1.68.107 wants to talk to 172.1.68.108, it
knows the source and destination IP addresses,
but it only knows its own MAC address
An ARP Request is sent to MAC address
FF:FF:FF:FF:FF:FF, which is known as the
broadcast address, asking for the computer
having 172.1.68.108 to respond with an ARP
reply telling what its MAC address is
Address Resolution Protocol (ARP)
●
●
It then adds the other computer's MAC address to
its ARP table, which is just a mapping of IP
addresses and MAC addresses
Each entry in the table expires after some
amount of time (4.5 min. on linux, 20.5 min. on
solaris)
Where IP and Ethernet Meet
●
What happens if the other computer is not local?
●
We know it must communicate through a router
●
●
●
At the IP layer, we send data to the intended IP
address (172.1.68.108 from our example)
However, at the ethernet layer, we send data to
the router
The router then sends it to the right network or to
another router and, eventually, it will be sent to
the other computer
The Transport Layer
Data
Header
Header
Header
The Transport Layer
●
●
There are many protocols at the transport layer
Some of the more common ones you may have
heard are
–
TCP - transmission control protocol
–
UDP - user datagram protocol
–
ICMP - internet control message protocol
The Transport Layer
●
●
●
●
●
●
TCP and UDP have what are called ports
To understand ports, lets look at how apartment
complexes generally numbered
Each building has an address
Within the building, each apartment has an
address as well
My old address was 2921-33
2921 was the building number, 33 was the
apartment number
The Transport Layer
●
●
●
Think of the network as an apartment complex
Each computer has an address like each building
has an address
Each program has an address like each apartment
has an address
The Transport Layer
●
●
Some of the programs have standard addresses so
they can be found more easily
–
Web server programs use port 80
–
FTP server programs use port 21
–
SSH server programs use port 22
–
Windows networking primarily uses ports 135-139
and 445
As with IP addresses, there are both a source and
destination port used when communicating
The Transport Layer
●
●
The source and destination ports do not have to
be equal
For example, if I am using a web browser, the
destination port is going to be 80, but the port my
computer uses doesn't have to be 80 (and in fact
probably won't be)
The Transport Layer
Any questions on the transport layer?
Domain Name Servers
●
●
●
●
Computers only know how to communicate using
IP addresses
So, when you type www.ncsu.edu, your computer
needs to figure out what IP address is associated
with www.ncsu.edu
To get this information, it asks a domain name
server
A domain name server is a program that knows
what IP addresses belong to which names and
vice versa
Unicast and Broadcast
●
●
●
Computers can communicate in different ways
–
Unicast - 1 computer to other 1 computer
–
Broadcast - 1 computer to everyone else (that is local)
Unicast is how we typically think of computers
communicating - it is similar to 2 people having a
conversation
Broadcast is more like giving a presentation - one
person talking to everyone else in the room
Unicast and Broadcast
●
●
●
●
For unicast, the other computer's IP address is
used as the destination address
For broadcast, there are specific IP addresses
used that all computers know to be broadcast
addresses
Each subnet has its own broadcast address -- it is
the highest address in that subnet
Additionally, there is a broadcast address that is
not specific to any subnet - 255.255.255.255
Firewalls
●
●
●
In construction, a firewall is a structure built to
protect against a fire spreading from one location
to another
A network firewall is a device that keeps network
traffic that we consider to be harmful (or that
even might be harmful) from coming into our
network
There are 2 types of network firewalls
–
Packet level
–
Application level
Firewalls
●
●
●
Packet level firewalls filter data based on the
information in each packet.
–
Source and/or destination IP address
–
Transport layer protocols
–
Source and/or destination port (for TCP and UDP)
Packet level firewalls can be on a computer or a
router
It is generally recommended to filter packets with
a source or destination port of 135-139 or 445 to
block attacks against Windows
Firewalls
●
●
●
●
An application level firewall runs on a computer
and is more intelligent than a packet level firewall
It can tell which packets are related to which
programs running on the computer
These firewalls block traffic based on which
programs the traffic is related to
Example: ZoneAlarm
Questions?