Discovery service
Download
Report
Transcript Discovery service
Networking Technologies
Yelena Yesha
Olga Streltchenko
WAP slides by Anupam Joshi
1
Presentation Overview
Internet Protocols
WAP
Caching and Proxies
DNS
Firewalls
Directory and Discovery Services
2
Internet Protocols
Originally developed to support simple widearea applications (ftp, e-mail).
Scaled up very well to support more
sophisticated distributed applications.
Standardization of TCP/IP.
Exceptions:
WAP for wireless applications on portable devices;
Special protocols to support MM streaming
applications.
3
IP Addressing
Scheme for addressing and routing IP packets.
1978-82 TCP/IP standardization provided for 232
or approximately 4 billion hosts.
The Internet growth outstripped the predictions.
The address space allocation has been
inefficient.
IP address=network identifier+host identifier
Written as
Classes: A, B, C, D and E.
D is reserved for multicast communication, E –for
future uses.
4
IP Addressing (cont’d)
Class A
1 Network ID, 7bits
Class B
10
Class C
110
Class D
1110
Class E
11110
Host ID, 24 bits
Network ID, 14 bits
Host ID, 16 bits
Network ID, 21 bits
Host ID, 8 bits
Multicast
unused
A: 224 hosts on each subnet, national wide area networks
B: more than 255 computers on a subnet, big companies.
C: other network operators
5
IP Addressing Drawbacks
and Solutions
Drawbacks:
If a computer is connected to more than one
network it needs more than one IP address.
Organizations cannot reliably predict their growth
and tend to over-budget;
Outcome: exhaustion of class B addresses.
IP address is susceptible to IP spoofing, or
counterfeiting of the source address in the IP header.
Denial-of-service attacks by placing the destination IP
address in the target address field (remember Feb 2000?).
Solutions:
Aggressive: IPv6 with its 128-bit address fields;
Use of mask fields and CIDR (classless inter-domain
routing).
6
IP Protocol
Provides an unreliable or best-effort delivery service
Only checksum is the header checksum.
IP layer
Puts IP datagrams into network packets suitable for
transmission in the underlying network;
E.g., Ethernet.
When the datagram is longer than MTU of the underlying
network, it is broken into smaller segments and
reassembled at the destination.
Must insert “physical” network address of the message
destination if necessary;
Depends on the underlying network technology, i.e.,
Ethernet requires and Ethernet address for the host on the
local Ethernet.
7
Network Topology Revisited
The Internet Backbone
Super-high-bandwidth link between smaller networks
like intranets;
consists of multiple networks operated by multiple
companies, like UUnet, AT&T, SprintLink, Quest, etc.;
These networks come together at various peering
points.
Autonomous system (AS): conceptual partition
of the topological map of the internet.
Subdivide into areas;
Example: intranets of big organizations.
8
Routing protocols
RIP1: distance-vector algorithm.
Convergence problems.
RIP2: amendment of of RIP1 to accommodate CIDR
and authentication of IP packets, improve multicast
routing.
OSPF: open-shortest-path-first.
Better convergence than the one exhibited by RIP.
Incremental adoption of better routing algorithms.
For routers to cooperate they need to run the same
routing algorithm.
For this purpose topological areas have been
defined: the same protocol is used within an area.
9
Overcoming the Problem
of the Internet Growth
Default router
To prevent routing table size explosion only partial
information is kept.
Routers closer to backbones have more complete tables.
The default entry specifies a route to be used for all IP
packets whose destination is not included in the routing
table.
CIDR
Allocates a batch of contiguous class C IP address to a
subnet requiring more than 255 address;
Allows to subdivide class B address space for allocation of
multiple subnets;
This is achieved by of a mask field by routing tables.
A bit pattern that selects a portion of IP address to be
compared with the routing table entry.
10
IP version 6
A more permanent solution to the problem of the
Internet growth.
Address space: 2128
Factor in inefficiencies of address allocation and still
get about 1000 IP addresses per m2.
Routing speed: the complexity of the header is
reduced.
Real-time and other special services: the header
includes the priority and flow control fields.
The use of these fields will depend on major
improvements in the infrastructure (hardware) and
suitable method of allocating and arbitrating
resources.
11
IP version 6 (cont’d)
Future evolution: next header field, which
defines the type of an extension header that is
included in the packet.
Multicast and anycast: IPv6 supports anycast, or
delivery to at least to one of the hosts among
the relevant addresses.
Security: IPv6 implements authentication and
encrypted security payload extension header
types.
Equivalent to providing a secure channel;
Means that the payload is encrypted and/or digitally
signed.
12
Mobility and IP
Dynamic Host Configuration Protocol (DHCP)
Designed to support the ability of a mobile device to
maintain simple access to services;
Assigns a temporary IP address to the device.
To provide permanent access by clients to a
mobile computer it must maintain a permanent
IP address.
Problem: IP routing is subnet-based.
Subnets are at fixed locations.
13
MobileIP
A transparent solution based on tunnelling.
When a mobile computer is connected to the
Internet elsewhere, two agents take
responsibility for routing.
Home agent (HA):
holds up-to-date knowledge of the mobile host’s
current location;
The IP address at which it can be reached.
The mobile host informs HA upon leaving home
HA acts as a proxy to the clients communicating to the
mobile host during this time.
14
MobileIP (cont’d)
Foreign agent (FA):
Allocates a temporary IP address to a mobile host upon its
arrival to a new site;
Contact HA and supplies it with the contact address for the
mobile host (FA’s address).
HA encapsulates original IP packets and sends them
to FA.
FA unpacks the packets and delivers them to the
mobile host.
HA sends the contact address for the mobile host o
the original sender
If the sender is Mobile-enabled it communicates to the FA
directly from now on;
15
If not, the HA continues to act as a proxy for it.
TCP and UDP
Provide communication capabilities to the
application programs.
IPv6 will support TCP/UDP as well as other
connection protocols (remember the Internet
Model).
Enable interprocess communication through the
use of ports attached to applications.
Port number is included in the header.
16
UDP
Almost transport-level replica of IP.
Offers no guarantee of delivery.
The header is short, but includes an
optional checksum for the payload;
The packets that fail the check are dropped.
17
TCP
Provides reliable delivery of arbitrary long
sequences of bytes via stream-based
programming abstraction.
Connection-oriented;
The sending and the receiving processes
establish a communication channel;
Use of ACK (acknowledgement) messages).
18
TCP Reliability Mechanisms
Sequencing: a sequence number is attached to every
TCP segment;
Used for message re-assembly at the destination.
Flow control: overflow prevention;
The receiver send an ACK with the highest sequence
number in its input stream (no segments before that
one have been omitted) and a window size.
Window size specifies the amount of data the sender is
permitted to send.
ACK are attached to the backward flow if there is any.
Burstiness of network traffic is smoothed through the
use of local buffering an a configurable time-out on it.
Naggle’s algorithm.
19
TCP (cont’d)
Due to the unreliability of wireless networks
these mechanisms are not efficient.
Solutions: WAP and modified TCP.
Modified TCP for wireless networks.
Implement a TCP support component at the base
station (gateway between wired and wireless
networks).
The support component snoops on TCP packets to
and from the wireless network
re-transmitting segments that are not promptly
acknowledged.
Requesting re-transmission of inbound segments when gaps
in sequence numbers are noticed.
20
WAP
Wireless Application Protocol
“An open, global specification that empowers
mobile users with wireless devices to easily access
and interact with information and services
instantly.”
- WAP Forum
“The de facto worldwide standard for providing
Internet communications and advanced telephony
services on digital mobile phones, pagers,
personal digital assistants and other wireless
terminals.”
- WAP Forum (www.wapforum.org)
21
Why is WAP needed?
Traditional internet protocols (HTML, HTTP, TCP,
etc.) and their security mechanisms (TLS) are
inefficient over mobile networks.
Handheld devices tend to have less powerful
CPUs, less memory and more restrictions on
power consumption than desktops, so require
special considerations.
Handheld devices tend to use input devices
other than keyboards (e.g. voice, keypad).
22
Bearer Limitations
Power consumption
increased bandwidth requires increased power.
Cellular network economics
Fixed bandwidth shared among many users, so
efficient bandwidth use required.
Latency
wide range of network latencies common (< 1
second to 10s of seconds).
Bandwidth
Less bandwidth than found in wired environments.
23
WAP Forum: www.wapforum.org
WAP Forum founded in December 1997 by Nokia,
Ericsson, Motorola and Phone.com (formerly
Unwired Planet)
Currently contains over 200 members;
Carriers with more than 100 million subscribers;
Infrastructure providers;
Software developers, and others.
Represent over 95% of the global handset market.
WAP Protocol development
Current WAP Version: 1.2
24
How does WAP work?
Uses client-server model.
Phone incorporates a microbrowser, while
the intelligence is in the WAP gateways.
Services and applications reside on
servers.
Similar to Java – applications written for
WAP, which then run on multiple bearers
(e.g. GSM, SMS, USSD, etc.)
25
What works with WAP?
Designed for use with:
All mobile phones;
Any service, e.g. SMS (Short Message Service), CSD
(Circuit Switched Data), USSD (Unstructured
Supplementary Services Data), GPRS (General Packet
Radio Service);
Any network, e.g. CDMA (Code Division Multiple
Access), GSM (Global System for Mobiles), UMTS
(Universal Mobile Telephone System);
Any input device, e.g. keyboard, stylus, touch screen,
keypad.
26
WAP Protocol Model (Stack)
Application Layer
Session Layer
Transaction Layer
Security Layer
Transport Layer
Network Layer
Wireless Application
Environment (WAE)
Other Services and
Applications
Wireless Session
Protocol (WSP)
Wireless Transaction
Protocol (WTP)
Wireless Transport
Layer Security (WTLS)
Datagrams (UDP/IP)
Datagrams (WDP)
Wireless Bearers:
SMS USSD CSD IS-136 CDMA CDPD
* Source: the WAP White Paper, October 1999.
Etc…
27
WAP Architecture
WAP Phone
WAP Gateway
Web Server
Internet
Client
Encoded request
Encoded response
Gateway
Web Server
Request
Response
28
WDP Layer
Wireless Datagram Protocol.
Provides consistent service and common
interface to upper layers of the protocol.
Supports: SMS, USSD, CSD, CDPD,
IS-136 packet data, and GPRS.
29
WTLS Layer
Wireless Transport Layer Security (TLS).
Implements options for authentication and
encryption.
Optimized for mobile environment.
Based on Transport Layer Security (TLS), which was
formerly Secure Sockets Layer (SSL).
Optimized for use over narrow-band communication
channels.
Ensures data integrity, privacy, authentication and
denial-of-service protection.
30
WTP Layer
Wireless Transaction Protocol
Runs on top of datagram service.
Works over both secure and non-secure wireless services.
Features:
Three classes of transaction service
Class 0: for applications requiring an “unreliable push” service
Class 1: for applications requiring a “reliable push” service
Class 2: to provide the basic invoke/response transaction
service
Optional user-to-user reliability.
Asynchronous transactions.
PDU (protocol data unit) concatenation and delayed
acknowledgements to reduce number of messages sent.
31
WSP Layer
Wireless Session Protocol
Provides consistent interface for both connectionoriented and connectionless services.
Provides the following functionality:
HTTP 1.1 compliance;
Long-lived session state;
Session suspend and resume;
Facility for data “push”.
32
WAE
Wireless Application Environment
Interoperable environment for multiple
wireless platforms.
Consists of:
Wireless Markup Language (WML);
WMLScript;
Wireless Telephony Application (WTA);
Content Formats.
33
WML
WAP Mark-up Language
WML is an XML application.
Also uses WMLScript, which is similar to
JavaScript.
Optimized for use with handheld devices.
Minimal use of CPU and memory.
34
Benefits of WAP
Reduces amount of data to be transmitted (by
translating HTTP headers from text into binary).
Allows sessions to be suspended and resumed.
Provides reliable datagram service without the
unnecessary overhead of TCP.
TCP stack is not required on handheld device.
WAP protocol stack requires less packets for interaction
than HTTP/TCP/IP.
Support for “push” functionality built into protocol.
WML developers can use standard web tools
(e.g. CGI, Perl, ASP, etc.).
35
Drawbacks to WAP
Difficult to configure WAP phones for new WAP
services.
Not yet widely supported.
Current services (e.g. SMS, USSD) not optimized
for WAP.
Expected to be expensive.
WAP does not support cookies.
Premature encryption endpoint (gateway
decrypts data, then forwards via https – see
www.gsmworld.com/technology/wap_06.html).
36
Caches and proxy servers
Cache: a store of recently used data objects that is
closer than the objects themselves.
When a new object is received it is placed in the cache
possibly evicting another object.
When an object is requested, the cache is checked first
for an up-to-date copy;
If it’s not available, a fresh copy is fetched.
A cache can be collocated with each client or located on
a proxy server.
Proxy server: a machine/process performing tasks on
behalf of its clients.
A web proxy server maintains a cache of web resources for its
clients; all the requests go though it.
The actual client is transparent for outside servers.
37
DNS
A name service design whose principal database
is used across the Internet to perform name
resolution for web resources.
A name is resolved when it is translated into
data about the named resource or object in
order to invoke an action upon it.
38
The Internet Naming Scheme
The Internet support a scheme for the use of
symbolic names for hosts and networks.
The named entities are organized into a hierarchy.
The named entities are called domains and the
symbolic names are called domain names.
Domains are organized into a hierarchy that intends
to reflect organizational structure.
Naming is entirely independent from the network
physical layout.
Domain names must be translated into IP
Responsibility of DNS.
39
DNS Operation
Implemented as a server process that can run on
host computers anywhere on the Internet.
There are at least 2 DNS servers in each domain.
Servers in each domain hold a partial map of the
domain name tree below their domain.
Requests for the translation of domain names outside
their portion of the domain tree are handled by
issuing requests to DNS servers in the relevant
domains;
Recursive procedure that follows from right to left
resolving the name in segments.
The resulting translation is then cached at the server
handling the original request.
40
DNS and caching
Caching is a key to a name service performance;
Assists in maintaining availability and masking server
crashes.
Caching is successful because naming data are
changed relatively rarely.
The possibility exists of a name service returning
out-of-date attributes during resolution.
DNS allows naming data to become inconsistent;
Stale data might be provided for periods in order of
days.
41
Internet and Network
Security
Types of Attacks on Internet
Break-ins: Unauthorized attempts to gain access to a
secure system
Denial of service: A legitimate user is denied access
to a service (e.g. Flooding a WWW server with
requests)
Bombs: Large email messages or other large data
intended to overwhelm and possibly weaken a
system.
Eavesdropping - Listening in on an electronic
conversation. Perhaps with intent to gather
information for a future break-in.
Viruses.
42
Internet and Network
Security (cont’d)
Who is perpetrating these attacks?
People with lots of free time
Former/disgruntled employees
Current/disgruntled employees
Current/former/disgruntled customers
Governments
43
How to Defend?
Some quick (although not foolproof) suggestions:
Frequent password changes and the use of difficult-toguess passwords.
Removal of abused services.
Filters that detect and delete large messages.
Cryptography.
Note that many attacks go undetected, even by
professionals.
44
Example Scenario
A private company would like the following:
Make some services available within the company such
as Secure Shell (SSH) and FTP between the company's
hosts.
Disallow outside users from gaining access to the
company's internal hosts via Telnet, FTP, etc.
Allow users within the company to access other services
on the Internet such as WWW and FTP.
Allow users from the Internet to visit the company's
WWW home pages.
Allow the exchange of e-mail with others on the
Internet.
45
But,
It is difficult to restrict traffic in only one
direction
Recall that the TCP/IP protocol sends
acknowledgements to make sure data arrives
whole.
What we need is a more sophisticated
gatekeeper that can distinguish what services to
allow and which to block.
The general term for this is a Firewall.
46
Firewall
Monitors and controls all the traffic into and out of an
intranet.
Firewall security policy
Service control: determine which services are available for
external access and reject all other requests;
Levels of filtering: IP, TCP.
Example: reject HTTP request unless they are directed to the
official website.
Behavioral control: prevent behavior that infringes
organization policies;
Levels of filtering: IP, TCP, application;
Example: filtering of ‘spam’ e-mail.
User control: discriminate between users’ privileges;
Example: management of dial-up provided for off-site users.
47
Filtering levels
IP packet filtering
Decisions made based on the destination and the
source IP addresses, the service type field in the IP
header, port numbers in TCP/UDP headers.
Example: prohibition of external access to NFS
servers.
Performed by a process within the operating system
kernel of a router.
TCP Gateway
A TCP Gateway process checks TCP connection
requests and segment transmission for correctness.
Example: Denial-of-service attack prevention.
48
Filtering levels (cont’d)
Application-level gateway
An application-level gateway process acts as a proxy
for an application process.
Example: a Telnet proxy. All telnet requests are
routed through the proxy process for approval.
A firewall is a combination of several processes
working at different protocol levels running on
more than one machine (for fault-tolerance).
Two overall (mutually exclusive) policies:
Anything not explicitly denied is allowed.
Anything not explicitly allowed is denied.
49
Basic Internet Firewalls
A basic firewall is a router (a host with at least 2 network
interfaces).
One interface is connected to the Internet - the Host side.
The other(s) is(are) connected to the company's internal network.
Performs IP packet filtering.
50
Advanced Internet Firewalls
When TCP and application-level gateway processes are
required, they usually run on another computer: Bastion.
A host located inside the intranet and protected by an IP
router/filter, to which it is attached by a Stub LAN.
Stub LAN only has 1 or 2 hosts on it. Not connected to any other
company LANs.
A bastion host is connected to both the stub LAN and to the
company network
51
Advanced Internet
Firewalls (cont’d)
Further protection can be insured by placing
another router/filter between the bastion and
the company intranet.
Note that for performance reasons company
web/ftp severs are placed on the Stub LAN.
52
Virtual Private Networks
Suppose a company wants to connect the
intranets of its 5 offices.
One option is to lease a private line.
Another is to connect through the internet.
But then everything is open.
The solution is to use encryption schemes to
establish secure tunnels through the internet.
Such a set-up is called a virtual private
network.
53
Directory and Discovery
Services
Directory service: A service that stores collections of
bindings between names and attributes and that
looks up entries that match attribute-based
specifications.
Example: MS Active Directory Service, UNIX X.500, etc.
Discovery service: a directory service that registers
the services in a spontaneous networking
environment.
Provides an interface for automatically registering and deregistering services (fax machines, printers, etc.).
Provides a lookup interface for mobile devices
Example: Jini
54
Jini
A system designed for spontaneous networking.
Java-based: assumes that JVMs run on all of the
computers, allowing them to communicate
through RMI (remote method invocation, a
flavor of interprocess communication in an
object-oriented environment).
Provides facilities for service discovery,
transactions and shared data spaces called
JavaSpaces.
55
Jini Directory-Related
Component
Lookup service, Jini services and Jini clients.
The lookup service implements what we have
termed a discovery service;
Jini uses discovery only for discovering the lookup
service itself.
Allows Jini services to register the services they offer and
Jini clients to request services that match their
requirements.
A Jini service provides an object that provides the
service as well as the attributes of the service.
May be registered with several lookup services that store
the objects.
Example: printing service.
56
Jini Directory-Related
Component (cont’d)
Jini clients query lookup service to find Jini services
that match their requirements.
If a match is found they download an object that
provides the service from the lookup service.
Bootstrap connectivity: how to find the lookup
service upon entering a network.
Solutions:
A priory knowledge of lookup services IP addresses.
Doesn’t scale up.
Use a multicast IP address that is known to all
instances of Jini software.
57
Jini Directory-Related
Component (cont’d)
When a Jini client or service starts up it sends a
request stamped with time-to-live value to a wellknown multicast address.
Lookup services listen on a socket bound to this
address and replies to a unicast address from which
it received the request.
The client can then perform RMI to query the
lookup service.
Lookup services sometimes broadcast datagrams
announcing their existence to the same multicast
address, and client and services listen on it.
58