The Application Layers :On Demand Lecture (Part I)
Download
Report
Transcript The Application Layers :On Demand Lecture (Part I)
ON DEMAND LECTURE (PART I)
Dr. Nawaporn Wisitpongphan
ON-DEMAND OUTLINE
Transition
from IPv4 to IPv6
NAT & IP Tunnel
VPN
Overlay Networks
VoIP
Network Management
4TO6
IPV4 TO IPV6 MIGRATION
Interoperability is necessary for gradual
deployment
Solutions #1: Dual Stack Operation
IPv6 nodes also support IPv4 as well. (IPv6/IPv4)
Use IPv4 datagrams with IPv4 nodes
If any node along the path is IPv4 node, some information will
be missing.
IPV4 TO IPV6 MIGRATION: TUNNELING
Solutions #2: Tunneling
TUNNELING
HOW DOES TUNNELING WORK?
What is a tunnel?
A virtual link between two network nodes
How does it work?
Encapsulate IPv6 datagram in an IPv4 datagram
The whole packet goes into the payload of IPv4
Create the IPv4 header from the info. In IPv6 header
IPv4 nodes along the path will not be aware of the
encapsulated IPv6 packet
The IPv6 receiver has to determine if there is IPv6
datagram in the IPv4 packet received.
NATS AND TUNNELS
NATs originally invented as a way to help
migrate to a hybrid IPv4 IPv6 world
Took on a life of their own
May have substantially delayed IPv6 deployment by
reducing address pressure!
You probably encounter them every day
Tunnels: Coming up after NATs.
NETWORK ADDRESS TRANSLATION
NAT maps (private source IP, source port) onto
(public source IP, unique source port)
reverse mapping on the way back
destination host does not know that this process is happening
Very simple working solution.
NAT functionality fits well with firewalls
A
Priv A IP
B IP
B IP
Priv A IP
A Port
B
B Port
B Port
A Port
Publ A IP
B IP
B IP
Publ A IP
A Port’ B Port
B Port A Port’
TYPES OF NATS
Bi-directional NAT: 1 to 1 mapping between
internal and external addresses.
E.g., 128.237.0.0/16 -> 10.12.0.0/16
External hosts can directly contact internal hosts
Why we use it?
Flexibility. Change providers, don’t change internal addrs.
Need as many external addresses as the number of hosts
“Traditional” NAT: Unidirectional
Basic NAT: Pool of external addresses
Translate source IP address (+checksum,etc) only
Network Address Port Translation (NAPT): What most of us
use
Also translate ports.
E.g., map (10.0.0.5 port 5555 -> 18.31.0.114 port 22) and
(128.237.233.137 port 5931 -> 18.31.0.114 port 22)
Lets you share a single IP address among multiple computers
TUNNELING
Force a packet to go to a specific
point in the network.
Path taken is different from the
regular routing
Achieved by adding an extra IP
header to the packet with a new
destination address.
IP1
Similar to putting a letter in another
envelope
preferable to using IP source routing
option
IP2
Used increasingly to deal with
special routing requirements or
new features.
Mobile IP,..
Multicast, IPv6, research, ..
Data
IP1 IP2
IP-IN-IP TUNNELING
V/HL
Described in RFC 1993.
IP source and destination
address identify tunnel
endpoints.
Protocol id = 4.
Several fields are copies of
the inner-IP header.
IP
TOS, some flags, ..
Inner header is not
modified, except for
decrementing TTL.
TOS
ID
TTL
Length
Flags/Offset
4
H. Checksum
Tunnel Entry IP
Tunnel Exit IP
V/HL
TOS
ID
TTL
Length
Flags/Offset
Prot.
H. Checksum
Source IP address
Destination IP address
Payload
TUNNELING EXAMPLE
tunnel
A
B
C
D
E
F
G
F
H
I
J
K
a -> b
e -> f
j -> k
A->K
C->F
A->K
Payload
A->K
Payload
Payload
TUNNELING CONSIDERATIONS
Performance.
Tunneling adds (of course) processing overhead
Tunneling increases the packet length, which may
cause fragmentation
BIG hit in performance in most systems
Tunneling in effect reduces the MTU of the path, but
end-points often do not know this
Security issues.
Should verify both inner and outer header
E.g., one-time flaw: send an ip-in-ip packet to a
host. Inner packet claimed to come from “trusted”
host. Bypass firewalls.
TUNNELING APPLICATIONS
Virtual private networks.
Connect subnets of a corporation using IP tunnels
Often combined with IP Sec
Entire IP packet is encrypted and/or authenticated before
encapsulated
Support for new or unusual protocols.
Routers that support the protocols use tunnels to
“bypass” routers that do not support it
E.g. multicast
Force packets to follow non-standard routes.
Routing is based on outer-header
E.g. mobile IP
VPN
WHAT IS VPN?
Virtual Private Network is a type of
private network that uses public
telecommunication, such as the Internet,
instead of leased lines to communicate.
Became popular as more employees
worked in remote locations.
Terminologies to understand how VPNs
work.
TRADITIONAL CONNECTIVITY
[From Gartner Consulting]
PRIVATE NETWORKS VS.
VIRTUAL PRIVATE NETWORKS
Employees
can access the network (Intranet) from
remote locations.
Secured
The
networks.
Internet is used as the backbone for VPNs
Saves
cost tremendously from reduction of
equipment and maintenance costs.
Scalability
REMOTE ACCESS VIRTUAL
PRIVATE NETWORK
(From Gartner Consulting)
BRIEF OVERVIEW OF HOW IT
WORKS
Two connections – one is made to the Internet
and the second is made to the VPN.
Datagrams – contains data, destination and
source information.
Firewalls – VPNs allow authorized users to pass
through the firewalls.
Protocols – protocols create the VPN tunnels.
FOUR CRITICAL FUNCTIONS
Authentication – validates that the data was sent from the
sender.
Access control – limiting unauthorized users from
accessing the network.
Confidentiality – preventing the data to be read or copied
as the data is being transported.
Data Integrity – ensuring that the data has not been
altered
ENCRYPTION
Encryption -- is a method of “scrambling” data
before transmitting it onto the Internet.
Public Key Encryption Technique
Digital signature – for authentication
TUNNELING
A virtual point-to-point connection
made through a public network. It transports
encapsulated datagrams.
Original Datagram
Encrypted Inner Datagram
Datagram Header
Outer Datagram Data
Area
Data Encapsulation [From Comer]
Two types of end points:
Remote Access
Site-to-Site
FOUR PROTOCOLS USED IN VPN
PPTP -- Point-to-Point Tunneling Protocol
L2TP -- Layer 2 Tunneling Protocol
IPsec -- Internet Protocol Security
SOCKS – is not used as much as the ones above
VPN ENCAPSULATION OF PACKETS
TYPES OF IMPLEMENTATIONS
What does “implementation” mean in VPNs?
3 types
Intranet – Within an organization
Extranet – Outside an organization
Remote Access – Employee to Business
VIRTUAL PRIVATE NETWORKS (VPN)
BASIC ARCHITECTURE
DEVICE TYPES: HARDWARE
Usually a VPN type of router
Pros
Cons
• Highest network throughput
• Cost
• Plug and Play
• Lack of flexibility
• Dual-purpose
DEVICE TYPES: FIREWALL
More security?
Pros
Cons
• “Harden” Operating System
• Still relatively costly
• Tri-purpose
• Cost-effective
DEVICE TYPES: SOFTWARE
Ideal for 2 end points not in same org.
Great when different firewalls implemented
Pros
Cons
• Flexible
• Lack of efficiency
• Low relative cost
• More labor training
required
• Lower productivity;
higher labor costs
ADVANTAGES
VS.
DISADVANTAGES
ADVANTAGES: COST SAVINGS
Cost Saving
Eliminating the need
for expensive longdistance leased lines
Reducing the longdistance telephone
charges for remote
access.
Transferring the
support burden to the
service providers
Operational costs
Scalability
Flexibility of growth
CISCO VPN SAVINGS CALCULATOR
DISADVANTAGES
VPNs require an in-depth understanding of
public network security issues and proper
deployment of precautions
Availability and performance depends on
factors largely outside of their control
Immature standards
VPNs need to accommodate protocols other
than IP and existing internal network
technology
APPLICATIONS: SITE-TO-SITE
VPNS
Large-scale encryption between multiple fixed
sites such as remote offices and central offices
Network traffic is sent over the branch office
Internet connection
This saves the company hardware and
management expenses
SITE-TO-SITE VPNS
APPLICATIONS: REMOTE ACCESS
Encrypted
connections between mobile or
remote users and their corporate networks
Remote user can make a local call to an ISP, as
opposed to a long distance call to the corporate
remote access server.
Ideal for a telecommuter or mobile sales
people.
VPN allows mobile workers & telecommuters
to take advantage of broadband connectivity.
i.e. DSL, Cable
INDUSTRIES THAT MAY USE A VPN
Healthcare: enables the transferring of confidential patient
information within the medical facilities & health care provider
Manufacturing: allow suppliers to view inventory & allow clients
to purchase online safely
Retail: able to securely transfer sales data or customer info
between stores & the headquarters
Banking/Financial: enables account information to be
transferred safely within departments & branches
General Business: communication between remote employees
can be securely exchanged
STATISTICS FROM GARTNER-CONSULTING*
Remote access for
employees working out
of homes
90%
Remote access for
employees while
traveling
79%
Percentages
Site-to-site connectivity
between offices
Access to network for
business
partners/customers
0%
63%
50%
20%
40%
60%
% of Respondents
*Source: www.cisco.com
80%
100%
WHERE DO WE SEE VPNS GOING IN
THE FUTURE?
VPNs are continually being enhanced.
Example: Equant NV
As the VPN market becomes larger, more applications
will be created along with more VPN providers and
new VPN types.
Networks are expected to converge to create an
integrated VPN
Improved protocols are expected, which will also
improve VPNs.
OVERLAY
NETWORKS
OVERLAY NETWORKS
A network “on top of the network”.
E.g., initial Internet deployment
Tunnels between nodes on a current network
Examples:
Internet routers connected via phone lines
An overlay on the phone network
The IPv6 “6bone”, the multicast “Mbone” (“multicast
backbone”).
But not limited to IP-layer protocols…
Can do some pretty cool stuff:
OVERLAY NETWORKS: APPLICATIONS
Application Layer multicast : Transmit data
stream to multiple recipients
Peer-to-Peer networks
Anonymizing overlays
Route data through lots of peers to hide source
The Onion Router (users can communicate anonymously)
Messages are repeatedly encrypted and sent through several
onion routers
Each onion router removes a layer of encryption to uncover
routing instructions, and sends the message to the next router
where this is repeated
Design Question: When are overlays good?
Functionality between small(er) group of people w/out requiring global
state/changes/etc.
ONION ROUTER
MUTIPROTOCOL LABEL
SWITCHING
WHAT IS MPLS?
Protocol that directs/carries data from one network
node to the next
Create “virtual links” between distant nodes
End-to-End circuit across any type of transport medium,
using any protocol
Eliminate dependency on link layer technology, e.g., ATM,
Frame Relay, SONET, or Ethernet, etc.
Provide connection-oriented services for variable-length
frames
Encapsulate packets of various network protocols
Routing?
Data packets are assigned labels
Based on the contents in the label (no need to examine the
packet itself)
Application:
Can be used to create VPN (MPLS VPN)
BASIC MODEL FOR MPLS NETWORK
Internet
LER
LER
LSR
IP
LSR
MPLS
LSR
MPLS
LSR
LER
LSR = Label Switched Router
LER = Label Edge Router
IP
MPLS VS VPN
NEED FOR MULTIPROTOCOL LABEL
SWITCHING (MPLS)
Forwarding function of a conventional router
a capacity demanding procedure
constitutes a bottle neck with increase in line speed
MPLS simplifies forwarding function
a connection oriented mechanism inside the
connectionless IP networks
50
LABEL SWITCHING
Decomposition of network layer routing into control
and forwarding components applicable
Label switching forwarding component algorithm
uses
Forwarding table
Label carried in the packet
What is a Label ?: Short fixed length entity
A 20-bit label value.
A 3-bit Traffic Class field for QoS (Quality of Service) priority
(experimental) and ECN (Explicit Congestion Notification).
A 1-bit bottom of stack flag. If this is set, it signifies that the
current label is the last in the stack.
An 8-bit TTL (Time to Live) field
51
MPLS BASICS
A Label Switched Path (LSP) is set up for each
route
A LSP for a particular packet P is a sequence of
routers,
<R1,R2………..Rn>
for all i, 1< i < n: Ri transmits P to R[i+1] by means
of a label
Edge routers
Analyze the IP header to decide which LSP to use
Add a corresponding local Label Switched Path
Identifier, in the form of a label
Forward the packet to the next hop
52
MPLS BASICS CONTD..
Subsequent nodes
just forward the packet along the LSP
simplify the forwarding function greatly
increase performance and scalability dramatically
New advanced functionality for QoS,
differentiated services can be introduced in the
edge routers
Backbone can focus on capacity and performance
Routing information obtained using a common
intra domain routing protocol such as OSPF
53
MPLS BENEFITS
Comparing MPLS with existing IP core and
IP/ATM technologies, MPLS has many
advantages and benefits:
The performance characteristics of layer 2
networks
The connectivity and network services of layer 3
networks
Improves the price/performance of network layer
routing
Improved scalability
54
MPLS BENEFITS CONTD..
Improves the possibilities for traffic engineering
Supports the delivery of services with QoS
guarantees
Avoids need for coordination of IP and ATM
address allocation and routing information
55
NETWORK
MANAGEMENT
NETWORK MANAGEMENT
Configuration management
How do I deal with all of these hosts?!
Network monitoring
What the heck is going on on those links?
AUTOCONFIGURATION
Adress Space Problem: It’s a pain to re-address
IP address, netmask, gateway, hostname, etc., etc.
Affects allocation size, ease of switching ISPs, etc.
Manual Input: Typing by hand: Ugh!
IPv4 option 1: RARP (Reverse ARP)
Data-link protocol
Uses ARP format. New opcodes: “Request reverse”, “reply reverse”
Send query: Request-reverse [ether addr], server responds with IP
IPv4 option 2: DHCP
Dynamic Host Configuration Protocol
ARP is fine for assigning an IP, but is very limited
DHCP can provide the kitchen sink
DHCP
DHCPDISCOVER - broadcast
DHCPOFFER
DHCPREQUEST
DHCPACK
DHCPOFFER
IP addressing information
Boot file/server information (for network booting)
DNS name servers
Lots of other stuff - protocol is extensible; half of the options reserved for local site definition
and use.
DHCP FEATURES
Lease-based assignment
Clients can renew. Servers really should preserve this information
across client & server reboots.
Provide host configuration information
Not just IP address stuff.
NTP servers, IP config, link layer config,
X window font server (wow)
Use:
Generic config for desktops/dialin/etc.
Assign IP address/etc., from pool
Specific config for particular machines
Central configuration management
IPV6 AUTOCONFIGURATION
Serverless (“Stateless”). No manual config at all.
Only configures addressing items, NOT other host things
If you want that, use DHCP.
Link-local address
1111 1110 10 :: 64 bit interface ID (usually from Ethernet addr)
(fe80::/64 prefix)
Uniqueness test (“anyone using this address?”)
Router contact (solicit, or wait for announcement)
Contains globally unique prefix
Usually: Concatenate this prefix with local ID -> globally unique
IPv6 ID
DHCP took some of the wind out of this, but nice for “zeroconf” (many OSes now do this for both v4 and v6)
SLIDES FOR FURTHER INTEREST
Management is still not too well defined
Understanding network status, responding
intelligently, etc
Managing configurations
How do you “program” the network?
MANAGEMENT: MONITORING
What to do when there is a problem?
How do you know how busy your network is?
Where are the bottlenecks, is it time for an upgrade, redirect traffic,
..
How can you spot unusual activity?
Loss of connectivity, complaints of slow throughput, ..
Somebody attacking a subnet, ..
These are all hard problems that are typically addressed
using multiple tools, but the ability to monitor network
status is a common requirement.
“Static” information: what is connected to what?
Dynamic information: what is the throughput on that link?
COMMON MONITORING TOOLS
SNMP
Simple Network Management Protocol
Device status
5 minute traffic average on outbound links
Amount of disk space used on server
Number of users logged in to modem bank
Etc.
Device alerts
Line 5 just went down!
Netflow
Detailed traffic monitoring
Break down by protocol/source/etc.
(“Who’s serving 5 terabytes of briney spars photos??”)
SIMPLE NETWORK MANAGEMENT
PROTOCOL (SNMP)
Protocol that allows clients to read and write management
information on network elements.
Routers, switches, …
Network element is represented by an SNMP agent
Information is stored in a management information base
(MIB).
Have to standardize the naming, format, and interpretation of each
item of information
Ongoing activity: MIB entries have to be defined as new technologies
are introduced
Different methods of interaction supported.
Query response interaction: SNMP agent answers questions
traps: agent notifies registered clients of events
Need security: authentication and encryption.
MANAGEMENT INFORMATION BASE
-
MIB
Information is represented
in an object tree.
To identify information you
specify a path to a leaf
Can extend MIB by adding
subtrees
Different standard bodies can
expand different subtrees
E.g. Ethernet and ATM
groups are independent
Root
ITU-T
Existing standard
How is information stored?
How is information encoded
on the wire (transfer syntax)
Other
...
Uses ASN.1 standard for
data representation.
ISO
MIB-2
System Interface IP
EGP
SNMP
ICMP
ARP
TCP
other
UDP
WHAT CAN WE MONITORED?
System:
Interfaces:
Routing table
How many datagram it has successfully forwarded?
Statistics about datagram reassembly
How many datagrams got dropped? For what reason?
TCP:
Physical Address of each Interface
How many packets have been sent/received?
IP:
Where the node is located?
How long it has been up?
The system’s name?
The number of passive/active opens?
The number of resets?
The number of timeouts?
Default Timeout settings?
UDP:
Total number of UDP datagrams sent/received
WIRESHARK DEMO
PRESENTATION/REPORT GRADING
SCHEME
Presentation [30 pts]
DO NOT just read from the slides
What it is?
Where do we see this technology?
How does it work?
Challenges/Future
Final Report [30 pts]
Q/A [40 pts]
Questioning your classmates [20 pts]
Answering Questions [20 pts]
*** What you/your friends present WILL BE
in the final!!!!