Transcript Review for final - Computer Science Division

Announcement
 Take-home final
 Final can be picked up in my office (Room
356) starting Monday, 3/14, 10am-11:59am
 Final should be returned by Thursday
3/17, 11:59am
 Closed Book
 One 8.5” by 11” sheet of paper permitted
(single side)
 Cover network layer, data link layer and
network security
Last class
 CDMA and IEEE 802.11 wireless LANs
 Network security
Today
 Network security (cont.)
 Review for final
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
 sender encrypts message
 receiver decrypts message
Authentication: sender, receiver want to confirm
identity of each other
Message Integrity: sender, receiver want to ensure
message content not altered (in transit, or
afterwards) without detection
Access and Availability: services must be accessible
and available to users
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
ciphertext
Bob’s
K decryption
B key
decryption plaintext
algorithm
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key
secret (private)
Public Key Cryptography
symmetric key crypto
 requires sender,
receiver know shared
secret key
 Q: how to agree on key
in first place
(particularly if never
“met”)?
public key cryptography
 radically different
approach [DiffieHellman76, RSA78]
 sender, receiver do
not share secret key
 public encryption key
known to all
 private decryption
key known only to
receiver
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
Public key encryption algorithms
Requirements:
1
2
+
need K ( ) and K - ( ) such that
B
B
- +
K (K (m)) = m
B B
.
.
+
given public key KB , it should be
impossible to compute
private key KB
+
Also, given K (m) and
B
+
B
K (.) it should be impossible to determine m
RSA: Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
+
KB
-
KB
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute
e
e
c = m mod n (i.e., remainder when m is divided by n)
2. To decrypt received bit pattern, c, compute
d
m = c d mod n (i.e., remainder when c is divided by n)
Magic
d
m = (m e mod n) mod n
happens!
c
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z.
encrypt:
decrypt:
letter
m
me
l
12
1524832
c
17
d
c
481968572106750915091411825223071697
c = me mod n
17
m = cd mod n letter
12
l
RSA: Why is that
m = (m e mod n)
d
mod n
Useful number theory result: If p,q prime and
n = pq, then:
y
y mod (p-1)(q-1)
x mod n = x
mod n
e
(m mod n) d mod n = medmod n
= m
ed mod (p-1)(q-1)
mod n
(using number theory result above)
1
= m mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )
= m
RSA: another important property
The following property will be very useful later:
-
+
B
B
K (K (m))
+ = m = K (K (m))
B B
use public key
first, followed
by private key
use private key
first, followed
by public key
Result is the same!
Overview
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”
“I am Alice”
Failure scenario??
Authentication
Goal: Bob wants Alice to “prove” her identity
to him
Protocol ap1.0: Alice says “I am Alice”
“I am Alice”
in a network,
Bob can not “see”
Alice, so Trudy simply
declares
herself to be Alice
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Alice’s
“I am Alice”
IP address
Failure scenario??
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Alice’s
IP address
Trudy can create
a packet
“spoofing”
“I am Alice”
Alice’s address
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Alice’s
Alice’s
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Failure scenario??
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Alice’s
Alice’s
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
playback attack: Trudy
records Alice’s packet
and later
plays it back to Bob
Alice’s
Alice’s
“I’m Alice”
IP addr password
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Failure scenario??
Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Alice’s encrypted
“I’m Alice”
IP addr password
Alice’s
IP addr
OK
Alice’s encrypted
“I’m Alice”
IP addr password
record
and
playback
still works!
Authentication: yet another try
Goal: avoid playback attack
Nonce: number (R) used only once –in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
“I am Alice”
R
KA-B(R)
Failures, drawbacks?
Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
be Alice!
Authentication: ap5.0
ap4.0 requires shared symmetric key
 can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
R
Bob computes
+ -
-
K A (R)
“send me your public key”
+
KA
KA(KA (R)) = R
and knows only Alice
could have the private
key, that encrypted R
such that
+ K (K (R)) = R
A A
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice
R
I am Alice
R
K (R)
T
K (R)
A
Send me your public key
+
K
T
Send me your public key
+
K
A
- +
m = K (K (m))
A A
+
K (m)
A
Trudy gets
- +
m = K (K (m))
T Alice
sends T
m to
encrypted with
Alice’s public key
+
K (m)
T
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect:
 Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)
 problem is that Trudy receives all messages as well!
Overview
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
Firewalls
firewall
isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
public
Internet
administered
network
firewall
Firewalls: Why
prevent denial of service attacks:
 SYN flooding: attacker establishes many bogus
TCP connections, no resources left for “real”
connections.
prevent illegal modification/access of internal data.
 e.g., attacker replaces CIA’s homepage with
something else
allow only authorized access to inside network (set of
authenticated users/hosts)
two types of firewalls:
 application-level
 packet-filtering
Packet Filtering
Should arriving
packet be allowed
in? Departing packet
let out?
 internal network connected to Internet via
router firewall
 router filters packet-by-packet, decision to
forward/drop packet based on:




source IP address, destination IP address
TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits
Packet Filtering
 Example 1: block incoming and outgoing
datagrams with IP protocol field = 17 and with
either source or dest port = 23.
 All incoming and outgoing UDP flows and telnet
connections are blocked.
 Example 2: Block inbound TCP SYN packets.
 Prevents
external clients from making TCP
connections with internal clients, but allows
internal clients to connect to outside.
Application gateways
 Filters packets on
application data as well
as on IP/TCP/UDP fields.
 Example: allow select
internal users to telnet
outside.
host-to-gateway
telnet session
application
gateway
gateway-to-remote
host telnet session
router and filter
1. Require all telnet users to telnet through gateway.
2. For authorized users, gateway sets up telnet connection to
dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating
from gateway.
Limitations of firewalls and gateways
 IP spoofing: router
can’t know if data
“really” comes from
claimed source
 if multiple app’s. need
special treatment, each
has own app. gateway.
 client software must
know how to contact
gateway.

e.g., must set IP address
of proxy in Web
browser
 filters often use all or
nothing policy for UDP.
 tradeoff: degree of
communication with
outside world, level of
security
 many highly protected
sites still suffer from
attacks.
Overview
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
Internet security threats
Mapping:
before attacking: “case the joint” – find out
what services are implemented on network
 Use ping to determine what hosts have
addresses on network
 Port-scanning: try to establish TCP connection
to each port in sequence

Countermeasures?
Internet security threats
Mapping: countermeasures
record traffic entering network
 look for suspicious activity (IP addresses, pots
being scanned sequentially)

Internet security threats
Packet sniffing:
broadcast media
 promiscuous NIC reads all packets passing by
 can read all unencrypted data (e.g. passwords)
 e.g.: C sniffs B’s packets

C
A
src:B dest:A
Countermeasures?
payload
B
Internet security threats
Packet sniffing: countermeasures
all hosts in organization run software that
checks periodically if host interface in
promiscuous mode.
 one host per segment of broadcast media
(switched Ethernet at hub)

C
A
src:B dest:A
payload
B
Internet security threats
IP Spoofing:
can generate “raw” IP packets directly from
application, putting any value into IP source
address field
 receiver can’t tell if source is spoofed
 e.g.: C pretends to be B

C
A
src:B dest:A
Countermeasures?
payload
B
Internet security threats
IP Spoofing: ingress filtering
routers should not forward outgoing packets
with invalid source addresses (e.g., datagram
source address not in router’s network)
 great, but ingress filtering can not be mandated
for all networks

C
A
src:B dest:A
payload
B
Internet security threats
Denial of service (DOS):
flood of maliciously generated packets “swamp”
receiver
 Distributed DOS (DDOS): multiple coordinated
sources swamp receiver
 e.g., C and remote host SYN-attack A

C
A
SYN
SYN
SYN
SYN
SYN
B
Countermeasures?
SYN
SYN
Internet security threats
Denial of service (DOS): countermeasures
filter out flooded packets (e.g., SYN) before
reaching host: throw out good with bad
 traceback to source of floods (most likely an
innocent, compromised machine)

C
A
SYN
SYN
SYN
SYN
SYN
B
SYN
SYN
Review (1)
 Network Layer
 Virtual Circuits and Datagram Networks
 Routing Principles
• Link State Algorithm
• Distance Vector Algorithm
 The
•
•
•
•
•
•
Internet (IP) Protocol
IPv4 addressing
Datagram format
IP fragmentation
ICMP: Internet Control Message Protocol
IPv6
NAT: Network Address Translation
Review (2)

Routing in the Internet
•
•
•
•
Hierarchical routing
RIP
OSPF
BGP
 Data link layer
 Introduction and services
 Error detection and correction
 Multiple access protocols
• TDMA/FDMA
• Random Access Protocols
• “Taking Turns” Protocols





Link-Layer Addressing
Ethernet
Hubs and switches
Mobile and wireless networks, CDMA
IEEE 802.11 wireless LANs
Review (3)
 What is network security?
 Principles of cryptography
Symmetric Key
 Public Key

 Authentication
 Protocol evolution
 Access control: firewalls
 Attacks and counter measures
 Packet
sniffing
 IP spoofing
 DoS attacks
Routing Algorithm classification
Global or decentralized
information?
Global:
 all routers have complete
topology, link cost info
 “link state” algorithms
Decentralized:
 router knows physicallyconnected neighbors, link
costs to neighbors
 iterative process of
computation, exchange of
info with neighbors
 “distance vector” algorithms
Static or dynamic?
Static:
 routes change slowly
over time
Dynamic:
 routes change more
quickly
 periodic update
 in response to link
cost changes
Dijsktra’s Algorithm
1 Initialization:
2 N' = {u}
3 for all nodes v
4
if v adjacent to u
5
then D(v) = c(u,v)
6
else D(v) = ∞
7
8 Loop
9 find w not in N' such that D(w) is a minimum
10 add w to N'
11 update D(v) for all v adjacent to w and not in N' :
12
D(v) = min( D(v), D(w) + c(w,v) )
13 /* new cost to v is either old cost to v or known
14 shortest path cost to w plus cost from w to v */
15 until all nodes in N'
Dijkstra’s algorithm: example
Step
0
1
2
3
4
5
N'
u
ux
uxy
uxyv
uxyvw
uxyvwz
D(v),p(v) D(w),p(w)
2,u
5,u
2,u
4,x
2,u
3,y
3,y
D(x),p(x)
1,u
2
u
2
1
x
3
w
3
1
5
1
y
D(z),p(z)
∞
∞
4,y
4,y
4,y
5
v
D(y),p(y)
∞
2,x
2
z
Distance vector algorithm (1)
Basic idea:
 Each node periodically sends its own distance
vector estimate to neighbors
 When a node x receives new DV estimate from
neighbor, it updates its own DV using B-F equation:
Dx(y) ← minv{c(x,v) + Dv(y)}
for each node y ∊ N
 Under minor, natural conditions, the estimate Dx(y)
converge the actual least cost dx(y)
Distance Vector Algorithm (2)
Iterative, asynchronous:
each local iteration caused
by:
 local link cost change
 DV update message from
neighbor
Distributed:
Each node:
wait for (change in local link
cost of msg from neighbor)
 each node notifies
neighbors only when its DV
changes


neighbors then notify
their neighbors if
necessary
The algorithm doesn’t
know the entire path –
only knows the next hop
recompute estimates
if DV to any dest has
changed, notify neighbors
Dx(y) = min{c(x,y) + Dy(y), c(x,z) + Dz(y)}
= min{2+0 , 7+1} = 2
node x table
cost to
x y z
x ∞∞ ∞
y ∞∞ ∞
z 71 0
from
from
from
from
x 0 2 7
y 2 0 1
z 7 1 0
cost to
x y z
x 0 2 7
y 2 0 1
z 3 1 0
x 0 2 3
y 2 0 1
z 3 1 0
cost to
x y z
x 0 2 3
y 2 0 1
z 3 1 0
cost to
x y z
from
from
from
x ∞ ∞ ∞
y 2 0 1
z ∞∞ ∞
node z table
cost to
x y z
x 0 2 3
y 2 0 1
z 7 1 0
cost to
x y z
cost to
x y z
from
from
x 0 2 7
y ∞∞ ∞
z ∞∞ ∞
node y table
cost to
x y z
cost to
x y z
Dx(z) = min{c(x,y) +
Dy(z), c(x,z) + Dz(z)}
= min{2+1 , 7+0} = 3
x 0 2 3
y 2 0 1
z 3 1 0
time
x
2
y
7
1
z
The Internet Network layer
Host, router network layer functions:
Transport layer: TCP, UDP
Network
layer
IP protocol
•addressing conventions
•datagram format
•packet handling conventions
Routing protocols
•path selection
•RIP, OSPF, BGP
forwarding
table
ICMP protocol
•error reporting
•router “signaling”
Link layer
physical layer
IP datagram format
IP protocol version
number
header length
(bytes)
“type” of data
max number
remaining hops
(decremented at
each router)
upper layer protocol
to deliver payload to
how much overhead
with TCP?
 20 bytes of TCP
 20 bytes of IP
 = 40 bytes + app
layer overhead
32 bits
head. type of
length
ver
len service
fragment
16-bit identifier flgs
offset
upper
time to
Internet
layer
live
checksum
total datagram
length (bytes)
for
fragmentation/
reassembly
32 bit source IP address
32 bit destination IP address
Options (if any)
data
(variable length,
typically a TCP
or UDP segment)
E.g. timestamp,
record route
taken, specify
list of routers
to visit.
IP Addressing: introduction
 IP address: 32-bit
identifier for host,
router interface
 interface: connection
between host/router
and physical link



router’s typically have
multiple interfaces
host may have multiple
interfaces
IP addresses
associated with each
interface
223.1.1.1
223.1.2.1
223.1.1.2
223.1.1.4
223.1.1.3
223.1.2.9
223.1.3.27
223.1.2.2
223.1.3.2
223.1.3.1
223.1.1.1 = 11011111 00000001 00000001 00000001
223
1
1
1
Subnets
 IP address:
 subnet part (high
order bits)
 host part (low order
bits)
 What’s a subnet ?
 device interfaces with
same subnet part of IP
address
 can physically reach
each other without
intervening router
223.1.1.1
223.1.2.1
223.1.1.2
223.1.1.4
223.1.1.3
223.1.2.9
223.1.3.27
223.1.2.2
LAN
223.1.3.1
223.1.3.2
network consisting of 3 subnets
IP addressing: CIDR
Before CIDR: only 8-, 16-, and 24- bit masks were
available (A, B, and C class networks)
CIDR: Classless InterDomain Routing
subnet portion of address of arbitrary length
 address format: a.b.c.d/x, where x is # bits in
subnet portion of address

subnet
part
host
part
11001000 00010111 00010000 00000000
200.23.16.0/23
NAT: Network Address Translation
rest of
Internet
local network
(e.g., home network)
10.0.0/24
10.0.0.4
10.0.0.1
10.0.0.2
138.76.29.7
10.0.0.3
All datagrams leaving local
network have same single source
NAT IP address: 138.76.29.7,
different source port numbers
Datagrams with source or
destination in this network
have 10.0.0/24 address for
source, destination (as usual)
NAT: Network Address Translation
2: NAT router
changes datagram
source addr from
10.0.0.1, 3345 to
138.76.29.7, 5001,
updates table
2
NAT translation table
WAN side addr
LAN side addr
1: host 10.0.0.1
sends datagram to
128.119.40, 80
138.76.29.7, 5001 10.0.0.1, 3345
……
……
S: 10.0.0.1, 3345
D: 128.119.40.186, 80
S: 138.76.29.7, 5001
D: 128.119.40.186, 80
138.76.29.7
S: 128.119.40.186, 80
D: 138.76.29.7, 5001
3: Reply arrives
dest. address:
138.76.29.7, 5001
3
1
10.0.0.4
S: 128.119.40.186, 80
D: 10.0.0.1, 3345
10.0.0.1
10.0.0.2
4
10.0.0.3
4: NAT router
changes datagram
dest addr from
138.76.29.7, 5001 to 10.0.0.1, 3345
Hierarchical Routing
Our routing study thus far - idealization
 all routers identical
 network “flat”
… not true in practice
scale: with 200 million
destinations:
 can’t store all dest’s in
routing tables!
 routing table exchange
would swamp links!
administrative autonomy
 internet = network of
networks
 each network admin may
want to control routing in its
own network
Hierarchical Routing
 aggregate routers into
regions, “autonomous
systems” (AS)
 routers in same AS run
same routing protocol


“intra-AS” routing
protocol
routers in different AS
can run different intraAS routing protocol
Gateway router
 Direct link to router in
another AS
Interconnected ASes
3c
3a
3b
AS3
1a
2a
1c
1d
1b
Intra-AS
Routing
algorithm
2c
AS2
AS1
Inter-AS
Routing
algorithm
Forwarding
table
2b
 Forwarding table is
configured by both
intra- and inter-AS
routing algorithm


Intra-AS sets entries
for internal dests
Inter-AS & Intra-As
sets entries for
external dests
Routing in the Internet
 Routing in the Internet


Intra-AS routing: RIP and OSPF
Inter-AS routing: BGP
RIP ( Routing Information Protocol)
 Distance vector algorithm
 Included in BSD-UNIX Distribution in 1982
 Distance metric: # of hops (max = 15 hops)
 # of hops: # of subnets traversed along the shortest path
from src. router to dst. subnet (e.g., src. = A)
u
v
A
z
C
B
D
w
x
y
destination hops
u
1
v
2
w
2
x
3
y
3
z
2
RIP advertisements
 Distance vectors: exchanged among
neighbors every 30 sec via Response
Message (also called advertisement)
 Each advertisement: list of up to 25
destination nets within AS
OSPF (Open Shortest Path First)
 “open”: publicly available
 Uses Link State algorithm
 LS packet dissemination
 Topology map at each node
 Route computation using Dijkstra’s algorithm
 Link costs configured by the network administrator
 OSPF advertisement carries one entry per neighbor
router
 Advertisements disseminated to entire AS (via
flooding)

Carried in OSPF messages directly over IP (rather than TCP
or UDP
OSPF “advanced” features (not in RIP)
 Security: all OSPF messages authenticated (to




prevent malicious intrusion)
Multiple same-cost paths allowed (only one path in
RIP)
For each link, multiple cost metrics for different
TOS (e.g., satellite link cost set “low” for best effort;
high for real time)
Integrated uni- and multicast support:
 Multicast OSPF (MOSPF) uses same topology data
base as OSPF
Hierarchical OSPF in large domains.
Hierarchical OSPF
Hierarchical OSPF
 Two-level hierarchy: local area, backbone.
 Link-state
advertisements only in area
 each node has detailed area topology;
 Area border routers: “summarize” distances
to nets in own area, advertise to other Area
Border routers.
 Backbone routers: run OSPF routing limited
to backbone.
 Boundary routers: connect to other AS’s.
Internet inter-AS routing: BGP
 BGP (Border Gateway Protocol): the de
facto standard
 BGP provides each AS a means to:
1.
2.
3.
Obtain subnet reachability information from
neighboring ASs.
Propagate the reachability information to all
routers internal to the AS.
Determine “good” routes to subnets based on
reachability information and policy.
 Allows a subnet to advertise its existence
to rest of the Internet: “I am here”
BGP basics
 Pairs of routers (BGP peers) exchange routing info over TCP
conections: BGP sessions
 Note that BGP sessions do not correspond to physical links.
 When AS2 advertises a prefix to AS1, AS2 is promising it will
forward any datagrams destined to that prefix towards the
prefix.

AS2 can aggregate prefixes in its advertisement
3c
3a
3b
AS3
1a
AS1
2a
1c
1d
1b
2c
AS2
2b
eBGP session
iBGP session
Path attributes & BGP routes
 When advertising a prefix, advert includes BGP
attributes.

prefix + attributes = “route”
 Two important attributes:
 AS-PATH: contains the ASs through which the advert
for the prefix passed: AS 67 AS 17
 NEXT-HOP: Indicates the specific internal-AS router to
next-hop AS. (There may be multiple links from current
AS to next-hop-AS.)
 When gateway router receives route advert, uses
import policy to accept/decline.
Why different Intra- and Inter-AS routing ?
Policy:
 Inter-AS: admin wants control over how its traffic
routed, who routes through its net.
 Intra-AS: single admin, so no policy decisions needed
Scale:
 hierarchical routing saves table size, reduced update
traffic
Performance:
 Intra-AS: can focus on performance
 Inter-AS: policy may dominate over performance
Data Link Layer
Some terminology:
 hosts and routers are nodes
 communication channels that
connect adjacent nodes along
communication path are links



wired links
wireless links
LANs
 layer-2 packet is a frame,
encapsulates datagram
data-link layer has responsibility of
transferring datagram from one node
to adjacent node over a link
“link”
Link Layer Services
 Framing, link access:



encapsulate datagram into frame, adding header, trailer
channel access if shared medium
“MAC” addresses used in frame headers to identify
source, dest
• different from IP address!
 Reliable delivery between adjacent nodes
 we learned how to do this already (chapter 3)!
 seldom used on low bit error link (fiber, some twisted
pair)
 wireless links: high error rates
• Q: why both link-level and end-end reliability?
MAC Protocols: a taxonomy
Three broad classes:
 Channel Partitioning


divide channel into smaller “pieces” (time slots,
frequency, code)
allocate piece to node for exclusive use
 Random Access
 channel not divided, allow collisions
 “recover” from collisions
 “Taking turns”
 Nodes take turns, but nodes with more to send can take
longer turns
Channel Partitioning MAC protocols: TDMA
TDMA: time division multiple access
 access to channel in "rounds"
 each station gets fixed length slot (length = pkt
trans time) in each round
 unused slots go idle
 example: 6-station LAN, 1,3,4 have pkt, slots 2,5,6
idle
Slotted ALOHA
Pros
 single active node can
continuously transmit
at full rate of channel
 highly decentralized:
only slots in nodes
need to be in sync
 simple
Cons
 collisions, wasting slots
 idle slots
 clock synchronization
Slotted Aloha efficiency
Efficiency is the long-run
fraction of successful slots
when there are many nodes,
each with many frames to send
 Suppose N nodes with
many frames to send,
each transmits in slot
with probability p
 prob that node 1 has
success in a slot
= p(1-p)N-1
 prob that there is a
success = Np(1-p)N-1
 For max efficiency
with N nodes, find p*
that maximizes
Np(1-p)N-1
 For many nodes, take
limit of Np*(1-p*)N-1
as N goes to infinity,
gives 1/e = .37
At best: channel
used for useful
transmissions 37%
of time!
CSMA (Carrier Sense Multiple Access)
CSMA: listen before transmit:
 If channel sensed idle: transmit entire frame
 If channel sensed busy, defer transmission
 Human analogy: don’t interrupt others!
CSMA collisions
collisions can still occur:
propagation delay means
two nodes may not hear
each other’s transmission
collision:
entire packet transmission
time wasted
note:
role of distance & propagation
delay in determining collision
probability
spatial layout of nodes
CSMA/CD (Collision Detection)
CSMA/CD: carrier sensing, deferral as in CSMA
collisions detected within short time
 colliding transmissions aborted, reducing channel
wastage

 collision detection:
 easy in wired LANs: measure signal strengths,
compare transmitted, received signals
 difficult in wireless LANs: receiver shut off while
transmitting
CSMA/CD collision detection
“Taking Turns” MAC protocols
Token passing:
Polling:
 control token passed from
 master node
one node to next
“invites” slave nodes
sequentially.
to transmit in turn
 token message
 concerns:
 concerns:
 polling overhead


latency
single point of
failure (master)



token overhead
latency
single point of failure (token)
ARP: Address Resolution Protocol
Question: how to determine
MAC address of B
knowing B’s IP address?
237.196.7.78
1A-2F-BB-76-09-AD
237.196.7.23
 Each IP node (Host,
Router) on LAN has
ARP table
 ARP Table: IP/MAC
address mappings for
some LAN nodes
237.196.7.14

LAN
71-65-F7-2B-08-53
237.196.7.88
< IP address; MAC address; TTL>
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
TTL (Time To Live): time
after which address
mapping will be forgotten
(typically 20 min)
ARP protocol: Same LAN (network)
 A wants to send datagram
to B, and B’s MAC address
not in A’s ARP table.
 A broadcasts ARP query
packet, containing B's IP
address
 Dest MAC address =
FF-FF-FF-FF-FF-FF
 all machines on LAN
receive ARP query
 B receives ARP packet,
replies to A with its (B's)
MAC address

frame sent to A’s MAC
address (unicast)
 A caches (saves) IP-to-
MAC address pair in its
ARP table until information
becomes old (times out)
 soft state: information
that times out (goes
away) unless refreshed
 ARP is “plug-and-play”:
 nodes create their ARP
tables without
intervention from net
administrator
Routing to another LAN
walkthrough: send datagram from A to B via R
assume A knows B’s IP address
A
R
 Two ARP tables in router R, one for each IP
network (LAN)
B
 A creates datagram with source A, destination B
 A uses ARP to get R’s MAC address for 111.111.111.110
 A creates link-layer frame with R's MAC address as dest,





frame contains A-to-B IP datagram
A’s adapter sends frame
R’s adapter receives frame
R removes IP datagram from Ethernet frame, sees its
destined to B
R uses ARP to get B’s MAC address
R creates frame containing A-to-B IP datagram sends to B
A
R
B
Ethernet uses CSMA/CD
 No slots
 adapter doesn’t transmit
if it senses that some
other adapter is
transmitting, that is,
carrier sense
 transmitting adapter
aborts when it senses
that another adapter is
transmitting, that is,
collision detection
 Before attempting a
retransmission,
adapter waits a
random time, that is,
random access
Ethernet CSMA/CD algorithm
1. Adaptor receives
4. If adapter detects
datagram from net layer &
another transmission while
creates frame
transmitting, aborts and
sends jam signal (48 bits)
2. If adapter senses channel
idle, it starts to transmit 5. After aborting, adapter
frame. If it senses
enters exponential
channel busy, waits until
backoff: after the mth
channel idle and then
collision, adapter chooses
transmits
a K at random from
{0,1,2,…,2m-1}.
3. If adapter transmits
entire frame without
Adapter waits K·512 bit
detecting another
times and returns to Step
transmission, the adapter
2
is done with frame !
Ethernet’s CSMA/CD (more)
Jam Signal: make sure all
other transmitters are
aware of collision; 48 bits
Bit time: .1 microsec for 10
Mbps Ethernet ;
for K=1023, wait time is
about 50 msec
Exponential Backoff:
 Goal: adapt retransmission
attempts to estimated
current load

heavy load: random wait
will be longer
 first collision: choose K
from {0,1}; delay is K· 512
bit transmission times
 after second collision:
choose K from {0,1,2,3}…
 after ten collisions, choose
K from {0,1,2,3,4,…,1023}
CSMA/CD efficiency
 Tprop = max prop between 2 nodes in LAN
 ttrans = time to transmit max-size frame
efficiency 
1
1  5t prop / ttrans
 Efficiency goes to 1 as tprop goes to 0
 Goes to 1 as ttrans goes to infinity
 Much better than ALOHA, but still decentralized,
simple, and cheap
Hubs
Hubs are essentially physical-layer repeaters:
 bits coming from one link go out all other links
 at the same rate
 no frame buffering
 no CSMA/CD at hub: adapters detect collisions
 provides net management functionality
• can disconnect a malfunctioning adapter
twisted pair
hub
Interconnecting with hubs
Pros:
Cons:
 Enables interdepartmental
 Collision domains are
communication
 Extends max distance btw.
nodes
 If a hub malfunctions, the
backbone hub can
disconnect it
hub
transferred into one large,
common domain
 Cannot interconnect
10BaseT and 100BaseT
hub hubs
hub
hub
Switch
 Link layer device
stores and forwards Ethernet frames
 examines frame header and selectively
forwards frame based on MAC dest address
 when frame is to be forwarded on segment,
uses CSMA/CD to access segment
 transparent
 hosts are unaware of presence of switches
 plug-and-play, self-learning
 switches do not need to be configured

Forwarding
switch
1
2
hub
3
hub
hub
• How to determine onto which LAN segment to
forward frame?
• Looks like a routing problem...
Self learning
 A switch has a switch table
 entry in switch table:
(MAC Address, Interface, Time Stamp)
 stale entries in table dropped (TTL can be 60 min)
 switch learns which hosts can be reached through
which interfaces
 when frame received, switch “learns” location of
sender: incoming LAN segment
 records sender/location pair in switch table

Switch: traffic isolation
 switch installation breaks subnet into LAN
segments
 switch filters packets:
 same-LAN-segment frames not usually
forwarded onto other LAN segments
 segments become separate collision domains
switch
collision
domain
hub
collision domain
hub
collision domain
hub
Switches vs. Routers
 both store-and-forward devices
 routers: network layer devices (examine network layer
headers)
 switches are link layer devices
 routers maintain routing tables, implement routing
algorithms
 switches maintain switch tables, implement
filtering, learning algorithms
Summary comparison
hubs
switches routers
traffic
isolation
no
yes
yes
plug & play
yes
yes
no
optimal
routing
no
no
yes
Wireless network characteristics
Multiple wireless senders and receivers create
additional problems (beyond multiple access):
C
A
B
A
B
Hidden terminal problem
C
C’s signal
strength
A’s signal
strength
space
 B, A hear each other
Signal fading:
 A, C can not hear each other
 B, C hear each other
 B, C hear each other
 B, A hear each other
means A, C unaware of their
interference at B
 A, C can not hear each other
interferring at B
IEEE 802.11 Wireless LAN
 802.11b
 2.4-5 GHz unlicensed
radio spectrum
 up to 11 Mbps
 direct sequence spread
spectrum (DSSS) in
physical layer
• all hosts use same
chipping code
 widely deployed, using
base stations
 802.11a
 5-6 GHz range
 up to 54 Mbps
 802.11g
 2.4-5 GHz range
 up to 54 Mbps
 All use CSMA/CA for
multiple access
 All have base-station
and ad-hoc network
versions
802.11 LAN architecture
 wireless host communicates
Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2
with base station
 base station = access
point (AP)
 Basic Service Set (BSS)
(aka “cell”) in infrastructure
mode contains:
 wireless hosts
 access point (AP): base
station
 ad hoc mode: hosts only
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
- start random backoff time
- timer counts down while channel idle
- transmit when timer expires
- if no ACK, increase random backoff
interval, repeat 2
802.11 receiver
- if frame received OK
return ACK after SIFS (ACK needed due
to hidden terminal problem)
sender
receiver
DIFS
data
SIFS
ACK
Collision Avoidance: RTS-CTS exchange
A
AP
B
reservation collision
DATA (A)
time
defer
802.11 frame: addressing
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
Address 2: MAC address
of wireless host or AP
transmitting this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only
in ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr AP MAC addr
dest. address
source address
802.3 frame
AP MAC addr H1 MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
Network Security
 What is network security?
 Principles of cryptography
Symmetric Key
 Public Key

 Authentication
 Protocol evolution
 Access control: firewalls
 Attacks and counter measures
 Packet
sniffing
 IP spoofing
 DoS attacks