The Transport Layer: TCP and UDP
Download
Report
Transcript The Transport Layer: TCP and UDP
ÉCOLE POLYTECHNIQUE
FÉDÉRALE DE LA USA NNE
Leftovers:
MPLS, Multicast,
Gateways and Firewalls,
VPNs
Jean-Yves Le Boudec
Fall 2009
1
Part 1: Firewalls
TCP/IP architecture separates hosts and routers
network = packet transportation only
private networks may want more protection
“access control”
one component is a firewall
definition: a firewall is a system that
separates Internet from intranet: all traffic must go through firewall
only authorized traffic may go through
firewall itself cannot be penetrated
Components of a firewall
filtering router
application or transport gateway
2
Filtering Routers
A router sees all packets and may do more than packet forwarding as
defined by IP
filtering rules based on :
port numbers, protocol type, control bits in TCP header (SYN packets)
Example
Internet
intranet
filtering router
prot
1
2
3
4
tcp
tcp
tcp
*
srce addr
*
*
129.132.100.7
*
dest addr
srce
port
dest action
port
198.87.9.2
198.87.9.3
198.87.9.2
*
>1023
>1023
>1023
*
23
25
119
*
permit
permit
permit
deny
3
The example show 4 rules applied to the ports shown
- rule 1 allows telnet connections from the outside to the machine 198.87.9.2
- rule 2 allows email to be sent to machine 198.87.9.3
- rule 3 allows news to be sent to machine 198.87.9.2, but only from machine 129.132.100.7
- rule 4 forbids all other packets.
Designing the set of rules employed in a firewall is a complex task; the set shown on the picture is much
simpler than a real configuration.
Packet filtering alone offers little protection because it is difficult to design a safe set of rules and at the
same time offer full service to the intranet users.
4
Application Layer Gateways
Application layer gateway is a layer 7 intermediate system
normally not used according to the TCP/IP architecture
but mainly used for access control
also used for interworking issues
Principle:
proxy principle: viewed by client as a server and by server as a client
supports access control restrictions, authentication, encryption, etc
A
2 GET xxx..
1 GET xxx..
HTTP
client
4 data
TCP/IP
HTTP gateway HTTP
server logic client
3 data
TCP/IP
intranet
B
HTTP
server
TCP/IP
Internet
HTTP
Gateway
5
1. User at A sends an HTTP request. It is not sent to the final destination but to the application
layer gateway. This results from the configuration at the client.
2. The gateway checks whether the transaction is authorized. Encryption may be performed.
Then the HTTP request is issued again from the gateway to B as though it would be originating
from A.
3. A response comes from B, probably under the form of a MIME header and data. The gateway
may also check the data, possibly decrypt, or reject the data.
4. If it accepts to pass it further, it is sent to A as though it would be coming from B.
Application layer gateways can be made for all application level protocols. They can be used for
access control, but also for interworking, for example between IPv4 and IPv6.
6
Transport Gateway
Similar to application gateways but at the level of TCP connections
independent of application code
requires client software to be aware of the gateway
Transport
Gateway
(SOCKS Server)
A
1
:1080 SYN
SYN ACK
ACK
B
connection relay request
to B :80
2
3
:80
SYN
SYN ACK
OK
ACK
data relay
4
1 GET xxx..
data
7
The transport gateway is a layer 4 intermediate system. The example shows the SOCKS gateways.
SOKCS is a standard being defined by the IETF.
1. A opens a TCP connection to the gateway. The destination port is the well known SOCKS server port
1080.
2. A requests from the SOCKS server the opening of a TCP connection to B. A indicates the destination
port number (here, 80). The SOCKS server does various checks and accepts or rejects the connection
request.
3. The SOCKS server opens a new TCP connection to B, port 80. A is informed that the connection is
opened with success.
4. Data between A and B is relayed at the SOCKS server transparently. However, there are two distinct
TCP connections with their own, distinct ack and sequence numbers.
Compared to an application layer gateway, the SOCKS server is simpler because it is not involved in
application layer data units; after the connection setup phase, it acts on a packet by packet level. Its
performance is thus higher.
However, it requires the client side to be aware of the gateway: it is not transparent. Netscape and
Microsoft browsers support SOCKS gateways.
8
Typical Firewalls Designs
An application / transport gateway alone can be used as
firewall if it is the only border between two networks
intranet
Internet
Firewall =
one dual homed gateway
A more general design is one or more gateways isolated by
filtering routers
intranet
R1
R2
Internet
Firewall =
gateways + sacrificial subnet
9
ÉCOLE POLYTECHNIQUE
FÉDÉRALE DE LA USA NNE
Part 2:
Connection Oriented Networking
MPLS and ATM
10
Contents
1. Connection Oriented network layer. ATM
2 .MPLS (Multi Protocol Label Switching)
11
1. Frame Relay, ATM
There exists a family of data networks which is very different from IP :
carrier data networks
Frame Relay, ATM, X.25
They use the Connection Oriented Network Layer
They were designed to be an alternative to IP
Failed in this goal
Used today as “super Ethernet” in IP backbones or at interconnection points
Being replaced by MPLS
12
Connection Oriented Network Layer :
Frame Relay, ATM, X.25
input
conn Id
output
conn Id
3
1
2
1
3
2
2
2
input
conn Id
output
conn Id
1
1
4
1
1
2
3
1
input
conn Id
output
conn Id
1
1
2
1
Host C
Host A
3
2
1
3
1
Switch
S2
Switch
S1
2
1
2
2
Switch
S4
4
Host B
Switch
S3
13
Connection oriented = similar to telephone. Connections are also called virtual circuits.
The connection oriented network layer uses connections that are known and controlled
in all intermediate systems. Every packet carries a connection identifier which is either
global (SNA) or local to a link (X.25, Frame Relay, ATM).
The packet forwarding function is simple, based on table lookup.
The control method involves
connection setup and release(building tables)
connection routing
Connection oriented networks usually implement some mechanisms to control the
amount of data sent on one connection, thus limiting losses due to statistical
multiplexing. Methods for that are: sliding window protocol, similar to that of TCP (X.25,
SNA), and rate control (Frame Relay , ATM).
Connection oriented networks give better control over individual traffic flows and are
thus used in public networks where tariffing is a key issue (X.25, Frame Relay). IBM
network architectures are also connection oriented (SNA, APPN). ATM is a connection
oriented network where emphasis is put on supporting both statistical multiplexing and
non- statistical multiplexing. ATM packets have a small, fixed size and are called cells.
14
ATM
ATM is a connection oriented network architecture
ATM packets (called cells) are small and fixed size (48 bytes of data + 5
bytes of header)
high performance at low cost
designed for very low delay
And for hrdware implementation of switching functions
The ATM connection identifier is called VPI/VCI (Virtual Path
Identifier/Virtual Channel Identifier)
Frame relay is the same but with packets of variable size (up to 1500 B
payload)
15
ATM VPI/VCI switching
in
1
1
VPI/VCI out
27
19
2
16
VPI/VCI
44
38
ATM cells
header contains VPI/VCI
19
27
1
1
44
2
38
16
16
16
ATM Adaption Layer
variable length packet
AAL5
in ATM adapter
ATM switches
AAL5
in ATM adapter
cells
ATM can transport packets of size up to 64 KB
ATM Adaptation Layer segments and re-assembles
in ATM end points only
17
IP over ATM: Classical IP
H1
classical IP uses ATM as
a fast Ethernet
ATMARP finds ATM
address
Like a telephone
number, similar to IPv6
address --- not a
VPI/VCI
H2
2. VCC
ATM
Router
1. Address
Resolution
Router
S
ARP Server
(Address Resolution)
InARP finds VPI/VCI
An ATMARP server is used:
-H1 connects to S at boot time, by calling the ATM address of the ATMARP server
- with InARP, S and H1 identify their IP addresses
- when H1 has to send an IP packet to H2, it must find the ATM address of H2. H1 sends an
ATMARP request to S. S responds with the ATM address of H2. H1 calls H2. When an ATM
connection is established, InARP is used to confirm the IP addresses.
18
Why ATM ?
Simplifies routing in large networks
IP needs very large routing tables in the core network
for every packet look up more that 100 000 entries
forwarding from the ISP point of view - just find the egress router
IP routing may ignore the real physical topology
ISP can put a router on the edge and use ATM/Frame Relay Virtual Path, switches
in the middle
edge router selects the path based on the destination address
route look up done only once in the ISP network
but still scalability problems
Quality of Service
ATM can natively provide guaranteed service (allocate different rates to
different ATM connections)
Used to share infrastructure (several operators or one network – virtual
providers)
Also used to multiplex many users on an access network (cable, wireless)
19
2. MPLS
IP over MPLS
MPLS node
• CO switch
• IP router
“Multi-Protocol Label Swapping”
Goal: integrate IP and CO layer in the same concept
“peer model” of integration
Unlike ATM or FR (used as layer 2 by IP)
Save one network
MPLS packets have a label added before IP header
An MPLS node acts as a combined router / CO intermediate
system
MPLS table combines routing and label swapping
20
MPLS example
FEC skipped in LIB
src
*
*
dst
out
128.178/15 b/70
129.88/16 b/70
a
1
src
dst
A
6
a
b
9
7
B
b
in
out
in
out
a/70
d/28
d/30
b/25
b/25
c/33
a/25
b/77
a
b
c
a
d
C
2
out
*
129.88/16 b/28
*
128.178/15 b/28
18/8 129.88/16 b/30
D
F
a
c
3
a
E
8
b
b
4
in
out
a/33
b/37
128.178/15
b
5 129.88/16
in
out
a/77
c/37
b/pop
b/pop
src= 18.1.2.3
30
129.88.3.3
33
129.88.3.3
37
129.88.3.3
129.88.3.3
src= 122.1.2.3
28
129.88.38.1
25
129.88.38.1
77
129.88.38.1
129.88.38.1
21
1.
2.
3.
4.
5.
6.
7.
8.
9.
An IP packet arrives, at MPLS node B, with source IP address 18.1.2.3 and destination IP
address 129.88.3.3. It arrives from outside the MPLS cloud, as an ordinary IP packet. The
combined routing/MPLS table at B says that, for this combination of source and destination
address, B should push the label 30 in front of the IP packet and forward the packet to port
b.
The packet arrives at node C. Since the packet has a label, the nodes looks for it in the
table and finds that the label should be swapped to 33 and the packet forwarded to port c.
Similar
The packet arrives at node F. The table says that a packet arriving on port c with label 37
should be sent to port b and the label should be popped (removed).
The packet exits as an ordinary IP packet, without MPLS label.
An IP packet arrives, at MPLS node B, with source IP address 122.1.2.3 and destination IP
address 129.88.38.1. It arrives from outside the MPLS cloud, as an ordinary IP packet. The
combined routing/MPLS table at B says that, for this combination of source and destination
address, B should push the label 28 in front of the IP packet and forward the packet to port
b.
The packet arrives at node C. Since the packet has a label, the nodes looks for it in the
table and finds that the label should be swapped to 77 and the packet forwarded to port b.
The packet’s label was removed by node F
Observe how after node C this packet’s path follows the same as the previous packet’s.
22
MPLS Terminology
LSR (Label Switch Router)
Ingress LER (Label Edge Router)
Egress LER (Label Edge Router)
b
d
a
c
FEC
src
dst
out
*
128.178/15 b/70
18/8 129.88/16 b/28
FEC - Label Mapping
128.178/15
129.88/16
in
out
xxx a/70 b/25
yyy c/28 d/33
LSP (Label Switched Path)
FEC (Forward Equivalence Class)
LIB (Label Information Base)
23
Operation of MPLS
ingress LER classifies packets to identify FEC that determines a label; inserts
the label (32 bits)
Labels may be stacked on top of labels
LSR switches based on the label if present, else uses IP routing
Forwarding Equivalence Classes (FEC)
group of IP packets, forwarded in the same manner, over the same path, and with the
same forwarding treatment (priority)
FEC may correspond to
destination IP subnet
source and destination IP subnet
traffic class that LER considers significant
Label Switching tables can be built using a Label Distribution Protocol, which
can be implemented as an addition to the routing protocol (e.g. OSPF, IGMP,
BGP)
24
Avoid Redistribution with MPLS
2.2.2.2
R5 E-BGP
18.1/16
IGP
MPLS
R6
AS x
2.2.20.1
I-BGP
MPLS
R1
AS z
R2
E-BGP
Alternative to redistribution or running I-BGP in all
backbone routers:
R4
Associate MPLS labels to exit points
Example:
R2 creates a label switched path to 2.2.2.2
At R2: Packets to 18.1/6 are associated with this label
R1 runs only IGP and MPLS – no BGP – only very small
routing tables
Can be used to provide quality of service
To
NEXT-HOP
18.1/16
2.2.2.2
AS y
layer-2 addr
MPLS label 23
RIB and LIB at R2
25
Facts to remember
There are other, non IP network layers that are connection oriented
With a CO network, there are connections and labels
Labels have only local significance, may be changed at every hop
They are used to carry IP traffic or telephony or to separate services
ATM is used as “super layer 2”
MPLS is similar but is combined at the networking layer
26
ÉCOLE POLYTECHNIQUE
FÉDÉRALE DE LA USA NNE
Part 3: IP Multicast
27
Contents
1. Multicast IP
2. Multicast routing protocols
3. Deployment
28
1. Internet (initial) group model
Multicast/group communication
1n
as well as
nm
Multicast addresses, IPv4
224.0.0.0 to 239.255.255.255
232/8 reserved for SSM (see later)
224/4
194.199.25.100
source
host 1
Multicast address, IPv6
FF00::/8
A multicast address is the logical identifier
of a group
No topological information, does not give
any information about where the
destinations (listeners) are
Routers keep have to keep state information
for each multicast address
multicast group
225.1.2.3
host 3
host 2
receiver
receiver
133.121.11.22 194.199.25.101
29
Internet (initial) group model
Open model
any host may belong to a multicast group
no authorization required
host may belong to many different groups
no restriction
source may send a packet to a group no matter if it belongs to the group or
not
membership not required
group is dynamic
a host may subscribe or leave at any time
host (source/receiver) does not know the identity of group members
Groups may have different scope
use TTL: LAN (local scope), Campus/admin scoping
30
IP Multicast Principles
A
Multicast routing
IGMP: join m
3
2
R1
R5
to m
S
1
5
R2
4
B
5
R4
hosts subscribe via IGMP join messages sent
to router
routers build distribution tree via multicast
routing
sources do not know who destinations are
packet multiplication is done by routers
1 S sends packets to multicast address m;
there is no member, the data is simply
lost at router R5.
2 A joins the multicast address m.
3 R1 informs the rest of the network that
m has a member at R1; the multicast
routing protocol builds a tree. Data
sent by S now reach A.
4 B joins the multicast address m.
5 R4 informs the rest of the network that
m has a member at R4; the multicast
routing protocol adds branches to the
tree. Data sent by S now reach both A
and B.
31
Using Multicast with IPv4 Sockets
Can only use UDP, does not work with TCP
Set TTL carefully
Sending to a multicast address: nothing special to do
Same as sending a packet to unicast address
Destination has to join explicitly
supported by socket option
in in.h:
struct ip_mreq
{
struct in_addr imr_multiaddr;
/* IP multicast address of group */
struct in_addr imr_interface;
/* local IP address of interface */
};
struct ip_mreq mreq;
rc = setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP,
(void *) &mreq, sizeof(mreq) );
IN_MULTICAST(a)
tests whether a is a multicast address
32
Source Specific Multicast (SSM)
The IP multicast model supports many to many
network (multicast routing) must find all sources and route from them
A proposed alternative called SSM (Source Specific Multicast)
multicast group - a channel identified by:
{@source, @multicast}
single-source model
{S, M} and {S’, M} are disjoint
only S can send some traffic to {S, M}
destinations have to find who the sources are, not the network
host must learn source address out of band (Web page)
n m still possible with many 1 n channelsrequires source selection (hostto-router source and group request)
Include-Source list of IGMPv3
MLD (Multicast Listener Discovery for IPv6), replacement of IGMP for IPv6
IANA assigned 232/8 and FF3X::/96
33
2. Multicast Routing
There are many
multicast routing
protocols to choose
from
What is the job ?
This is (too) complex
A much simpler
situation arises if we
support only SSM
For every multicast
address, build a shared
distribution tree
34
PIM-SSM
A
B
C
D
Channel (A, G) built between
source and receiver
PIM JOIN (A,G)
F
E
JOIN (A, G) announced
with IGMP
35
PIM-SSM
= « Protocol Independent
Multicast- Source Specific
Multicast »
The « routing protocol » proposed
for SSM
Router keeps (S, G) state for each
source S and each multicast group
address G
Tree is built by using unicast routing
tables towards the source
PIM-JOIN messages sent from one
router to upstream neighbour
There is no Path Computation
algorithm, relies on routing tables
built by unicast routing protocols
36
3. Deployment
IP multicast is implemented on
research networks (Switch, Geant,
etc)
Also used by specific environments
(e.g. financial)
Not generally available (yet) to the
general public in its general form
SSM multicast deployments are
starting
Tunneling can be used to connect a
non multicast capable network to a
multicast capable one (MBONE)
within a multicast area: native
multicast
in a tunnel: muticast packets are
encapsulated in unicast IP packets
unicast only routers
source
multicast routers
R1
encapsulation
dst = unicast @R2
receiver
R2
decapsulation
multicast routers
IP dest=adr_R2 IP dest=mcast payload
original packet
37
There is not only IP Multicast …
Multicast can be performed at application layer
On a network offering no IP multicast support (today’s internet)
Examples: content distribution networks
Source
CDN node 1
CDN node 2
CDN node 4
CDN node 3
38
Facts to remember
IP multicast allows to reduce traffic by controlled packet replication
Multicast routers are “stateful”
Initial multicast allows any source to send to a multicast address
Routing is complex
Source specific multicast is simpler to deploy
Application layer multicast can be used even without IP multicast
Multicast IP does not work with TCP
Ad-hoc “reliable multicast” protocols were developed
39
ÉCOLE POLYTECHNIQUE
FÉDÉRALE DE LA USA NNE
Part 4
Protocol Aspects of Security
40
Protocol Aspects of Security
Security is a global issue, not covered in this lecture
We discuss here how security impacts the architecture, and the relation
between layers
We review two examples
ssh
IPSEC and VPNs
41
Anatomy of an SSH example
Email
User Agent
POP
server
pop
110
9876
TCP
TCP
IP
1
A
IP
network
IP
S
First look at the configuration without SSH
Email user agent connects to POP server
110 is the TCP port reserved for POP
9876 is a ephemral port allocated to email user agent by the operating system
42
Anatomy of an SSH example (2)
Email
User Agent
POP
server
pop
sshd
ssh
9876
1234
22
3456
TCP
110
TCP
IP
1
A
IP
network
IP
S
43
Anatomy of an SSH example (2)
Email
User Agent
POP
server
pop
sshd
ssh
9876
1234
22
3456
TCP
110
TCP
IP
1
A
IP
network
IP
S
Assume A wants to use SSH to connect to the mail server S, using POP
Q1: Why would A want this ?
A1: to make sure that email between A and S is encrypted. Or because S is behind a firewall that does not
accept TCP connections to ports other than ssh.
Q2: describe the content of a packet from A to B visible at point 1.
A2: contains an encrypted block of data inside a TCP packet with srce port=22, dest port=3456, IP
srce=A, IP dest=S
back
44
Assume A wants to use SSH to connect to the mail server S, using POP
Q1: Why would A want this ?
sshd is the ssh “daemon”, i.e the ssh server. It runs on S in this example. sshd listens to the
well known port 22, reserved for ssh.
The user at A starts an ssh connection to S by launching the ssh client. The ssh client
obtains a port number from the operating system (here: 3456). A opens a TCP connection
from port 3456 to S, destination port 22. A can talk to S over this TCP connection (for
example, the user at A can issue commands on S).
(port redirection) ssh at A opens a server port 1234. All packets received by ssh at A on
port 1234 from localhost (green line) are sent to S, received by sshd at S, and sent again to
S locally, to port 22. The user must decide which port on A is redirected to which port on S.
The mapping so constructed is called an “SSH tunnel”
The email user agent at A must be instructed to connect to a POP server at IP address =
localhost and server port number = 1234
The traffic on the red TCP connection between A and S is encrypted.
Different connections (called “channels”) can be multiplexed on one single TCP connection
between A and S. ssh implements a sliding window protocol on top of TCP, with fixed
window size, one window per channel
Q2: describe the content of a packet from A to B visible at point 1.
This is only one specific example, there are many other possibilities. This example is
redirection of local port (ssh on A redirects the port 1234 on A to 110 on S). It is possible to
redirect a remote port as well, and UDP traffic can be redirected as well.
solution
45
ssh-connect
ssh
sshd
CHANNEL_OPEN (id, w)
CHANNEL_CONFIRM (id, w)
CHANNEL_DATA (id)
CHANNEL_WINDOW (id, w1)
Multiple channels multiplexed into a single connection at the ssh-trans
level
Channels identified by numbers on each end
Channels are flow-controlled
window size - amount of data to send
46
IPSEC and VPNs
Offers protection transparent to applications
Used to run applications designed for secure environment over unsecure
one
example: WLAN access to EPFL network
example: video player to screen
Provides
authentication (AH header)
or authentication and confidentiality (ESP header)
used primarily today in tunnel mode
host to host mode also exists
basic building block for VPN
47
IPSEC Tunnel Mode: Find Out how it works
A
IP hdr
EPFL
wireless LAN
ESP hdr IP hdr
VPN
Router
(IPSec server)
IP data
B
IP hdr IP data
encrypted
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.33
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Ethernet adapter Local Area
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
Default Gateway . .
Connection 2:
DNS Suffix .
. . . . . . .
. . . . . . .
. . . . . . .
:
:
:
:
epfl.ch
128.178.83.22
255.255.255.0
128.178.83.22
48
IPSEC Tunnel Mode: Find Out how it works -Hints
What subnet does the secondary IP address 128.178.83.22 belong to ?
Host A has now two IP addresses. Why ? How are they used ?
What IP source address does an application on A use ?
Explain how packets from host B to host A find their way.
solutions
49
IPSEC Tunnel Mode: Find Out how it works -Solutions
What subnet does the secondary IP address 128.178.83.22 belong to ?
it is an EPFL subnet. The VPN router belongs to it.
Host A has now two IP addresses. Why ? How are they used ?
IP packets are generated by applications at A with source address
128.178.83.22, encrypted and encapsulated in IP packets with source address
192.168.1.33. This is a tunnel (= there is encapsulation ) . At the end of the
tunnel, the VPN router decrypts the packets, and places them on the EPFL
network
What IP source address does an application on A use ?
the EPFL address 128.178.83.22
Explain how packets from host B to host A find their way.
The VPN router must perform proxy ARP – otherwise, same as access over a
modem (see slide « Proxy ARP »).
back
50