Transcript TCP/IP Overview

CSCE 813
Internet Security
TCP/IP
Internet Security - Farkas
1
Reading Assignment
Reading:
R. Oppliger, Internet and Intranet Security, Artech House,
Google Book,
http://books.google.com/books/about/Internet_and_Intranet_S
ecurity.html?id=vtyowiyW9BkC, Chapter 2
Recommended Reading:
CISCO: TCP/IP Technology,
http://www.cisco.com/en/US/tech/tk365/technologies_white_
paper09186a008014f8a9.shtml
Internet Security - Farkas
2
Before the Internet


Isolated, local packet-switching networks
– only nodes on the same network could
communicate
Each network was autonomous
– different services
– different interfaces
– different protocols
Internet Security - Farkas
3
Before the Internet
(cont.)
ARPANET: sponsored by Defense Advanced Research Projects
Agency (DARPA):
• 1969: interconnected 4 hosts
• 1970: host-to-host protocol: Network Control Protocol (NCP)
• 1972: first application: e-mail
Stanford Research Institute (SRI)
Univ. of California at
Santa Barbara (UCSB)
Univ. of California at LA (UCLA)
Univ. of Utah
Internet Security - Farkas
4
Internet
Connect Existing Networks:


ARPANET, Packet Radio, and Packet Satellite
NCP not sufficient Develop new protocol

1970s: Transmission Control Protocol (Kahn and Vinton)
– Based on packet switching technology
– Good for file transfer and remote terminal access

Divide TCP into 2 protocols
– Internet Protocol (IP): addressing and forwarding of packets
– Transmission Control Protocol (TCP): sophisticated services, e.g., flow
control, recovery




1980: TCP/IP adopted as a DoD standard
1983: ARPANET protocol officially changed from NCP to TCP/IP
1985: Existing Internet technology
1995: U.S. Federal Networking Council (FNC) defines the term
Internet
Internet Security - Farkas
5
Goals (Clark’88)
Connect existing networks
1. Survivability
2. Support multiple types of services
3. Must accommodate a variety of networks
4. Allow distributed management
5. Allow host attachment with a low level of
effort
6. Be cost effective
7. Allow resource accountability
Internet Security - Farkas
6
Internet Challenge

Interconnected networks differ (protocols,
interfaces, services, etc.)
 Possibilities:
Reengineer and develop one global packet switching network
standard: not economically feasible
2. Have every host implement the protocols of every network it
wants to communicate with: too complex, very high
engineering cost
3. Add an extra layer: internetworking layer

Hosts: one higher-level protocol

Network connecting use the same protocol

Interface between the new protocol and network
1.
Internet Security - Farkas
7
Layering

Organize a network system into logically
distinct entities
– the service provided by one entity is based only
on the service provided by the lower level
entity
Internet Security - Farkas
8
Without Layering
Application
Transmission
Media

SMTP
FTP
Coaxial
cable
HTTP
Fiber
optic
Each application has to be implemented for
every network technology!
Internet Security - Farkas
9
With Layering

Intermediate layer provides a unique abstraction
for various network technologies
Application
SMTP
FTP
HTTP
Intermediate
layer
Transmission
Media
Coaxial
cable
Fiber
optic
Internet Security - Farkas
10
Layering

Advantages
– Modularity – protocols easier to manage and maintain
– Abstract functionality –lower layers can be changed
without affecting the upper layers
– Reuse – upper layers can reuse the functionality
provided by lower layers

Disadvantages
– Information hiding – inefficient implementations
Internet Security - Farkas
11
ISO OSI Reference
Model
ISO – International Standard Organization
 OSI – Open System Interconnection
 Goal: a general open standard

– allow vendors to enter the market by using their
own implementation and protocols
Internet Security - Farkas
12
OSI Model
Concepts
Service – says what a layer does
 Interface – says how to access the service
 Protocol – says how is the service
implemented

– a set of rules and formats that govern the
communication between two peers
Internet Security - Farkas
13
TCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
Network Access Layer
• Each layer interacts with
neighboring layers above
and below
• Each layer can be defined
independently
• Complexity of the
networking is hidden from
the application
Internet Security - Farkas
14
OSI vs. TCP/IP

OSI: conceptually define: service, interface, protocol
 Internet: provide a successful implementation
Application
Presentation
Session
Transport
Network
Datalink
Physical
Application
Transport
Internet
Host-tonetwork
Internet Security - Farkas
Telnet
FTP DNS
TCP
UDP
IP
LAN
Packet
radio
15
Network Access Layer

Responsible for packet transmission on the
physical media
 Transmission between two devices that are
physically connected
 The goal of the physical layer is to move
information across one “hop”
 For example: Ethernet, token ring, Asynchronous
Transfer Mode (ATM)
Internet Security - Farkas
16
Internetwork Layer

Provides connectionless and unreliable
service
 Routing (routers): determine the path a path
has to traverse to reach its destination
 Defines addressing mechanism
– Hosts should conform to the addressing
mechanism
Internet Security - Farkas
17
IP Addresses

IP provides logical address space and a corresponding
addressing schema
 IP address is a globally unique or private number
associated with a host network interface
 Every system which will send packets directly out
across the Internet must have a unique IP address
 IP addresses are based on where the hosts are connected
 IP addresses are controlled by a single organization address ranges are assigned
 They are running out of space!
Internet Security - Farkas
18
Routing Protocols
• Enable routing decisions to be made
• Manage and periodically update routing tables,
stored at each router
•Router : “which way” to send the packet
•Protocol types:
•Reachability
•Distance vector
Internet Security - Farkas
19
The Domain Name
System
 Each
system connected to the Internet also has one
or more logical addresses.
 Unlike IP addresses, the domain address have no
routing information - they are organized based on
administrative units
 There are no limitations on the mapping from
domain addresses to IP addresses
Internet Security - Farkas
20
Domain Name
Resolution
 Domain
Name Resolution: looking up a logical
name and finding a physical IP address
 There is a hierarchy of domain name servers
 Each client system uses one domain name server
which in turn queries up and down the hierarchy to
find the address
 If your server does not know the address, it goes up
the hierarchy possibly to the top and works its way
back down
Internet Security - Farkas
21
Transport Layer

Provides services to the application layer
 Services:
– Connection-oriented or connectionless transport
– Reliable or unreliable transport
– Security (authenticity, confidentiality, integrity)

Application has to choose the services it requires
from the transport layer
 Limitations of combinations, e.g., connectionless
and reliable transport is invalid
Internet Security - Farkas
22
Application Layer

Provides services for an application to send
and recieve data over the network, e.g.,
telnet (port 23), mail (port 25), finger (port 79)

Interface to the transport layer
– Operating system dependent
– Socket interface
Internet Security - Farkas
23
Communication Between
Layers
Application Data
Application layer
Application layer
Transport payload
Transport layer
Network layer
Transport layer
Network
Payload
Network layer
Network layer
Network layer
Data Link layer Data Link Data Link layer
Payload
Data Link layer
Data Link layer
Router
Host B
Host A
Router
Internet Security - Farkas
24
Security -- At What
Level?

Secure traffic at various levels in the network
 Where to implement security? -- Depends on the
security requirements of the application and the
user
 Basic services that need to be implemented:





Key management
Confidentiality
Nonrepudiation
Integrity/authentication
Authorization
Internet Security - Farkas
25
Network Access Layer
Security
Dedicated link between hosts/routers  hardware
devices for encryption
 Advantages:

– Speed

Disadvantages:
– Not scaleable
– Works well only on dedicates links
– Two hardware devices need to be physically connected
Internet Security - Farkas
26
Internetwork Layer
Security
IP Security (IPSec)
 Advantages:
– Overhead involved with key negotiation
decreases <-- multiple protocols can share the
same key management infrastructure
– Ability to build VPN and intranet
 Disadvantages:
– Difficult to handle low granularity security,
e.g., nonrepudation, user-based security,
Internet Security - Farkas
27
Transport Layer
Security

Advantages:
– Does not require enhancement to each
application

Disadvantages:
– Difficult to obtain user context
– Implemented on an end system
– Protocol specific  implemented for each
protocol
Internet Security - Farkas
28
Transport Layer
Security

Advantages:
– Does not require enhancement to each
application
 Disadvantages:
– Obtaining user context gets complicated
– Protocol specific --> need to duplicated for
each transport protocol
– Need to maintain context for connection (not
currently implemented for UDP)
Internet Security - Farkas
29
Application Layer
Security

Advantages:
– Executing in the context of the user --> easy access to user’s
credentials
– Complete access to data --> easier to ensure nonrepudation
– Application can be extended to provide security (do not depend on
the operating system)
– Application understand data --> fine tune security

Disadvantages:
– Implemented in end hosts
– Security mechanisms have to be implemented for each application
-->
– expensive
– greated probability of making mistake
Internet Security - Farkas
30
Application Example

E-mail client using PGP
 Extended capabilities
– Ability to look up public keys of the users
– Ability to provide securiy services such as
encryption/decrytion, nonrepudation, and
authentication for e-mail messages
Internet Security - Farkas
31