CS 291 Special Topics on Network Security

Download Report

Transcript CS 291 Special Topics on Network Security

CS 283 Computer Networks
Spring 2013
Instructor: Yuan Xue
A special acknowledge goes to J.F Kurose
and K.W. Ross
Some of the slides used in this lecture are
adapted from their original slides that
accompany the book “Computer Networking,
A Top-Down Approach”
All material copyright 1996-2009
J.F Kurose and K.W. Ross, All Rights Reserved
@Yuan Xue ([email protected])
Chapter 4: Network Layer Outline
Overview and Service Model

4. 1 Introduction

4.2 Virtual circuit and datagram networks
Principle

4.5 Routing algorithms
 Link state
 Distance Vector
Practice (in the context of Internet)

4.4 IP: Internet Protocol
 IP packet format/Fragmentation
 IP address/DHCP/NAT

Routing Protocol
 4.5.3 Hierarchical Routing / Addressing
 4.6 Routing protocols in Internet
 4.6.1 Intra-AS Routing: RIP/OSPF
 4.6.3 Inter-AS Routing: BGP
@Yuan Xue ([email protected])
Forwarding and Implementation

4.3 What’s inside a router
Broadcast and multicast routing
ICMP
Special IP addresses
IPv6
Broadcast and Multicast
Broadcast

Deliver packets from
source to all other nodes
in the network
@Yuan Xue ([email protected])
Multicast

Deliver packets from
source to only a subset
of network nodes
Broadcast Routing
Deliver packets from source to all other nodes
source duplication is inefficient:
duplicate
R1
duplicate
creation/transmission
R1
duplicate
R2
R2
R3

R4
R3
R4
in-network
source
duplication
duplication
source duplication how does source determine recipient
addresses?
@Yuan Xue ([email protected])
In-network duplication
flooding: when node receives broadcast packet, sends copy
to all neighbors
 problems: cycles & broadcast storm
controlled flooding: node only broqdcqsts pkt if it hasn’t
broadcst same packet before
 Sequence-number-controlled flooding: node keeps track
of packet ids [src_node, sequence_num] already
broadacsted. If the packet was received and forwarded
before, it will get dropped.
 Reverse path forwarding (RPF): node only forwards a
packet if it arrived on the shortest path between the
node and the source
spanning tree broadcast
 No redundant packets received by any node
@Yuan Xue ([email protected])
Reverse Path Forwarding: example
S: source
R1
LEGEND
R4
R2
R5
R3
R6
datagram will be
forwarded
datagram will not be
forwarded beyond
receiving router
R7
Different from sequence-number-controlled flooding:
• In sequence-number-controlled flooding, the packet forwarding does not follow a specific
path. It rather depends on the timing of p. In this example, if the packet from R5 is
received at R6 earlier than the packet from R2, R6 will forward the packet to R2.
Similar to sequence-number-controlled flooding
• For each packet, each node in the network will only perform one forwarding operation to all
its neighbors (other than the one from which the packet is received.).
@Yuan Xue ([email protected])
Spanning Tree
Construct a spanning tree
 Spanning tree: a tree that contains every node in
the graph
Nodes forward copies only along spanning tree
A
A
B
c
B
c
D
F
D
E
F
G
E
G
(a) Broadcast initiated at A (b) Broadcast initiated at D
@Yuan Xue ([email protected])
IP multicast
Multicast at network layer is called IP multicast
It has two components

Group management
 IGMP

Multicast routing
 DVMRP, PIM, MSDP
IP multicast vs. Application layer multicast
@Yuan Xue ([email protected])
Multicast Address and Group Management
Deliver packets from source to only a subset of network nodes  how to
address them?
 List of IP addresses of all receivers
 too much overhead in the packet header
 The sender also needs to maintain this list (node join/leave)
 Internet solution
 Multicast address  a class D IP address
 The group of receivers associated with a class D address is referred to
as a multicast group
How to manage this group?
 Internet Group Management Protocol
 A host informs its attached router to join a specific multicast group
 Three message types: membership_query, membership_report,
leave_group
 Using soft state
@Yuan Xue ([email protected])
Multicast Routing: Problem Statement
Goal: find a tree (or trees) connecting routers having
local mcast group members



tree: not all paths between routers are used
source-based: different tree from each sender to rcvrs
shared-tree: same tree used by all group members
Shared tree
@Yuan Xue ([email protected])
Source-based trees
Approaches for building mcast trees
Approaches:
source-based tree: one tree per source
 shortest path trees
 reverse path forwarding
 Pruning
group-shared tree: group uses one tree
 minimal spanning (all nodes on the tree are part of the
multicast group) or Steiner (there are nodes on the tree
which are not part of the multicast group) tree
 center-based trees
we first look at basic approaches, then specific protocols
adopting these approaches
@Yuan Xue ([email protected])
Shortest Path Tree
mcast forwarding tree: tree of shortest path
routes from source to all receivers

Dijkstra’s algorithm
S: source
LEGEND
R1
1
2
R4
R2
3
router with attached
group member
5
4
R3
R6
@Yuan Xue ([email protected])
router with no attached
group member
R5
6
R7
i
link used for forwarding,
i indicates order link
added by algorithm
Reverse Path Forwarding
rely on router’s knowledge of unicast shortest
path from it to sender
 each router has simple forwarding behavior:

if (mcast datagram received on incoming link
on shortest path back to center)
then flood datagram onto all outgoing links
else ignore datagram
@Yuan Xue ([email protected])
Reverse Path Forwarding: example
S: source
LEGEND
R1
R4
router with attached
group member
R2
R5
R3

R6
R7
router with no attached
group member
datagram will be
forwarded
datagram will not be
Forwarded beyond
receiving router
result is a source-specific reverse SPT
 may be a bad choice with asymmetric links
@Yuan Xue ([email protected])
Reverse Path Forwarding: pruning
forwarding tree contains subtrees with no mcast group
members
 no need to forward datagrams down subtree
 “prune” msgs sent upstream by router with no
downstream group members
LEGEND
S: source
R1
router with attached
group member
R4
R2
P
R5
R3
R6
@Yuan Xue ([email protected])
P
R7
P
router with no attached
group member
prune message
links with multicast
forwarding
Shared-Tree: Steiner Tree
Steiner Tree: minimum cost tree connecting all
routers with attached group members
problem is NP-complete
excellent heuristics exists
not used in practice:



computational complexity
information about entire network needed
monolithic: rerun whenever a router needs to join/leave
@Yuan Xue ([email protected])
Center-based trees
single delivery tree shared by all
one router identified as “center” of tree
to join:




edge router sends unicast join-msg addressed to center
router
join-msg “processed” by intermediate routers and
forwarded towards center
join-msg either hits existing tree branch for this center,
or arrives at center
path taken by join-msg becomes new branch of tree for
this router
@Yuan Xue ([email protected])
Center-based trees: an example
Suppose R6 chosen as center:
LEGEND
R1
3
R2
router with attached
group member
R4
2
R5
R3
1
R6
@Yuan Xue ([email protected])
R7
1
router with no attached
group member
path order in which join
messages generated
Internet Multicasting Routing
DVMRP: distance vector multicast routing protocol, RFC1075

Source-based tree with reverse path forwarding and pruning
PIM: Protocol-Independent Multicast routing protocol,
RFC3973


Dense mode: flood-and-prune reverse path forwarding techniques
(similar to DVMRP)
Sparse mode: rendezvous point
MSDP: Multicast Source Discovery Protocol
Reality: IP multicast has yet to take off in a big way


Application-level multicast
In UK, BBC Multicast
@Yuan Xue ([email protected])
Internet Multicasting Routing: DVMRP
DVMRP: distance vector multicast routing protocol,
RFC1075
flood and prune: reverse path forwarding, sourcebased tree




RPF tree based on DVMRP’s own routing tables
constructed by communicating DVMRP routers
no assumptions about underlying unicast
initial datagram to mcast group flooded everywhere via
RPF
routers not part of the group: send upstream prune msgs
@Yuan Xue ([email protected])
DVMRP: continued…
soft state: DVMRP router periodically (1 min.)
“forgets” branches are pruned:


mcast data again flows down unpruned branch
downstream router: reprune or else continue to
receive data
routers can quickly regraft to tree

following IGMP join at leaf
odds and ends


commonly implemented in commercial routers
Mbone routing done using DVMRP
@Yuan Xue ([email protected])
PIM: Protocol Independent Multicast
not dependent on any specific underlying unicast
routing algorithm (works with all)
two different multicast distribution scenarios :
Dense:


group members
densely packed, in
“close” proximity.
bandwidth more
plentiful
Sparse:



@Yuan Xue ([email protected])
# networks with group
members small wrt #
interconnected networks
group members “widely
dispersed”
bandwidth not plentiful
Consequences of Sparse-Dense Dichotomy:
Dense
group membership by
routers assumed until
routers explicitly prune
data-driven construction
on mcast tree (e.g., RPF)
bandwidth and nongroup-router processing
profligate
@Yuan Xue ([email protected])
Sparse:
no membership until
routers explicitly join
receiver- driven
construction of mcast tree
(e.g., center-based)
bandwidth and non-grouprouter processing
conservative
PIM- Dense Mode
flood-and-prune RPF, similar to DVMRP but



underlying unicast protocol provides RPF info for
incoming datagram
less complicated (less efficient) downstream flood
than DVMRP reduces reliance on underlying
routing algorithm
has protocol mechanism for router to detect it is a
leaf-node router
@Yuan Xue ([email protected])
PIM - Sparse Mode
center-based approach
router sends join msg
to rendezvous point
(RP)

R1
intermediate routers
update state and forward
R2
join
after joining via RP,
router can switch to
source-specific tree

increased performance:
less concentration,
shorter paths
@Yuan Xue ([email protected])
join
R3
R4
join
join
R6
R5
R7
all data multicast rendezvous
from rendezvous
point
point
PIM - Sparse Mode
sender(s):
unicast data to RP,
which distributes down
RP-rooted tree
RP can extend mcast
tree upstream to source
RP can send stop msg if
no attached receivers

“no one is listening!”
@Yuan Xue ([email protected])
R1
join
R2
R3
R4
join
join
R6
R5
R7
all data multicast rendezvous
from rendezvous
point
point
ICMP: Internet Control Message Protocol
used by hosts & routers to
communicate network-level
information
 error reporting: unreachable
host, network, port, protocol
 echo request/reply (used by
ping)
network-layer “above” IP:
 ICMP msgs carried in IP
datagrams
ICMP message: type, code plus first
8 bytes of IP datagram causing error
@Yuan Xue ([email protected])
Type
0
3
3
3
3
3
3
4
Code
0
0
1
2
3
6
7
0
8
9
10
11
12
0
0
0
0
0
description
echo reply (ping)
dest. network unreachable
dest host unreachable
dest protocol unreachable
dest port unreachable
dest network unknown
dest host unknown
source quench (congestion
control - not used)
echo request (ping)
route advertisement
router discovery
TTL expired
bad IP header
Traceroute and ICMP
Source sends series of UDP
segments to dest


first has TTL =1
second has TTL=2, etc.
When nth datagram arrives to
nth router:



router discards datagram
and sends to source an ICMP
message (type 11, code 0)
ICMP message includes name of
router & IP address
when ICMP message arrives,
source calculates RTT
traceroute does this 3 times
Stopping criterion
UDP segment eventually arrives
at destination host
destination returns ICMP “port
unreachable” packet (type 3,
code 3)
when source gets this ICMP,
stops.
Refer to http://en.wikipedia.org/wiki/Traceroute
@Yuan Xue ([email protected])
Ping
Ping operates by sending Internet Control Message
Protocol (ICMP) echo request packets to the target host
and waiting for an ICMP response.
In the process it measures the time from transmission to
reception (round-trip time) and records any packet loss.
The results of the test are printed in form of a statistical
summary of the response packets received, including the
minimum, maximum, and the mean round-trip times, and
sometimes the standard deviation of the mean.
http://en.wikipedia.org/wiki/Ping
@Yuan Xue ([email protected])
Special IP addresses
Local broadcast address


255.255.255.255  all nodes within the local area
network
For more information:
http://en.wikipedia.org/wiki/Broadcast_address
The node itself
127.0.0.1  Local host (loopback network interface)
 For more information
http://en.wikipedia.org/wiki/Localhost

@Yuan Xue ([email protected])
IPv6
Initial motivation: 32-bit address space soon to
be completely allocated.
Additional motivation:
header format helps speed processing/forwarding
 header changes to facilitate QoS
IPv6 datagram format:
 fixed-length 40 byte header
 no fragmentation allowed

IPv6 addresses consist of eight groups of
four hexadecimal digits separated by colons,
for example 2001:0db8:85a3:0042:1000:8a2e:0370:7334.
@Yuan Xue ([email protected])
IPv6 Header (Cont)
Priority: identify priority among datagrams in flow
Flow Label: identify datagrams in same “flow.”
(concept of“flow” not well defined).
Next header: identify upper layer protocol for data
ver
pri
flow label
payload len
next hdr hop limit
source address
(128 bits)
destination address
(128 bits)
data
32 bits
@Yuan Xue ([email protected])
Other Changes from IPv4
Checksum: removed entirely to reduce processing
time at each hop
Options: allowed, but outside of header, indicated
by “Next Header” field
ICMPv6: new version of ICMP


additional message types, e.g. “Packet Too Big”
multicast group management functions
@Yuan Xue ([email protected])
Transition From IPv4 To IPv6
Not all routers can be upgraded simultaneous


no “flag days”
How will the network operate with mixed IPv4 and
IPv6 routers?
Dual-stack : side-by-side implementation of IPv4
and IPv6- both protocols run on the same
network infrastructure.
Tunneling: IPv6 carried as payload in IPv4
datagram among IPv4 routers
@Yuan Xue ([email protected])
Tunneling
Logical view:
Physical view:
E
F
IPv6
IPv6
IPv6
A
B
E
F
IPv6
IPv6
IPv6
IPv6
A
B
IPv6
@Yuan Xue ([email protected])
tunnel
IPv4
IPv4
Tunneling
Logical view:
Physical view:
A
B
IPv6
IPv6
A
B
C
IPv6
IPv6
IPv4
Flow: X
Src: A
Dest: F
data
A-to-B:
IPv6
@Yuan Xue ([email protected])
E
F
IPv6
IPv6
D
E
F
IPv4
IPv6
IPv6
tunnel
Src:B
Dest: E
Src:B
Dest: E
Flow: X
Src: A
Dest: F
Flow: X
Src: A
Dest: F
data
data
B-to-C:
IPv6 inside
IPv4
B-to-C:
IPv6 inside
IPv4
Flow: X
Src: A
Dest: F
data
E-to-F:
IPv6