Networking: Network layer

Transcription

1 control Networking: Network layer Comp Sci 3600 Security

2 Outline control 1 2 control 3 4 5

3 Network layer control

4 Outline control 1 2 control 3 4 5

5 Network layer purpose: control Role of the network layer is simple, to move packets from a sending host to a receiving host. Two important network-layer functions can be identified: Forwarding: When a packet arrives at a router s input link, the router must move the packet to the appropriate output link. For example, a packet arriving from Host H1 to R1 must be forwarded to the next router on a path to H2. : The network layer must determine the route or path taken by packets as they flow from a sender to a receiver. The algorithms that calculate these paths are referred to as algorithms. A algorithm would determine, for example, the path along which packets flow from H1 to H2.

6 v4 address control

7 algorithms build forwarding tables control

8 Every router has a forwarding table control A router forwards a packet by examining the value of a field in the arriving packet s header, and then using this header value to index into the router s forwarding table. The value stored in the forwarding table entry for that header indicates the router s outgoing link interface to which that packet is to be forwarded. The algorithm may be centralized (e.g., with an algorithm executing on a central site and downloading information to each of the routers) or decentralized (i.e., with a piece of the distributed algorithm running in each router). In either case, a router receives protocol messages, which are used to configure its forwarding table.

9 Outline control 1 2 control 3 4 5

10 control In a datagram network, each time an end system wants to send a packet, it stamps the packet with the address of the destination end system and then pops the packet into the network.

11 packet control As a packet is transmitted from source to destination, it passes through a series of routers. Each of these routers uses the packet s destination address to forward the packet. Specifically, each router has a forwarding table that maps destination addresses to link interfaces; when a packet arrives at the router, the router uses the packet s destination address to look up the appropriate output link interface in the forwarding table. The router then forwards the packet to that output link interface.

12 tables control Suppose that our router has four links, numbered 0 through 3, and that packets are to be forwarded to the link interfaces as follows:

13 Longest prefix match control When there are multiple matches, the router uses the longest prefix matching rule; that is, it finds the longest matching entry in the table and forwards the packet to the link interface associated with the longest prefix match.

14 Outline control 1 2 control 3 4 5

15 architecture control and management functions collectively referred to as the router control plane, usually implemented in software and execute on the processor (typically a traditional CPU) Forwarding functions collectively referred to as the router forwarding plane

16 Input ports: control Physical layer function of terminating an incoming physical link Link-layer functions needed to interoperate with the link layer at the other side of the incoming link Lookup function is also performed at the input port; this will occur in the rightmost box of the input port. It is here that the forwarding table is consulted to determine the router output port to which an arriving packet will be forwarded via the switching fabric. Control packets (for example, packets carrying protocol information) are forwarded from an input port to the processor. Term port here, referring to the physical input and output router interfaces, is different from the software ports associated with network applications and sockets

17 fabric: control The switching fabric connects the router s input ports to its output ports. This switching fabric is completely contained within the router, a network inside of a network router!

18 ports: control Stores packets received from the switching fabric and transmits these packets on the outgoing link by performing the necessary link-layer and physical-layer functions. When a link is bidirectional (that is, carries traffic in both directions), an output port will typically be paired with the input port for that link

19 processor: control The processor executes the protocols, maintains tables and attached link state information, and computes the forwarding table for the router. It also performs the network management functions

20 Outline control 1 2 control 3 4 5

21 control The lookup performed in the input port is central to the router s operation. It is here that the router uses the forwarding table to look up the output port to which an arriving packet will be forwarded via the switching fabric. The forwarding table is computed and updated by the processor, with a shadow copy typically stored at each input port. Search through the forwarding table looking for the longest prefix match Once a packet s output port has been determined via the lookup, the packet can be sent into the switching fabric.

22 Outline control 1 2 control 3 4 5

23 architecture variation control Which is fastest?

24 Outline control 1 2 control 3 4 5

25 control Takes packets that have been stored in the output port s memory and transmits them over the output link. This includes selecting and de-queueing packets for transmission, and performing the needed link-layer and physical-layer transmission functions.

26 Outline control 1 2 control 3 4 5

27 control As queues grow large, the router s memory can eventually be exhausted and packet loss will occur when no memory is available to store arriving packets.

28 port queuing control

29 Head of line (HOL) blocking in input queuing control

30 Outline control 1 2 control 3 4 5

31 control (more to come) control

32 Outline control 1 2 control 3 4 5

33 Network layer components control

34 Outline control 1 2 control 3 4 5

35 v4 address control

36 v4 header control

37 v4 header control Version number. 4 bits specify the protocol version of the datagram. can determine how to interpret the remainder of the datagram. Different versions of use different data-gram formats. Header length. Because an can contain a variable number of options (which are included in the header), these 4 bits are needed to determine where in the datagram the data actually begins. Most datagrams do not contain options, so the typical datagram has a 20-byte header. Type of service. included in the v4 header to allow different types of datagrams (for example, datagrams particularly requiring low delay, high throughput, or reliability) to be distinguished from each other. For example, it might be useful to distinguish real-time datagrams (such as those used by an telephony application) from non-real-time traffic (for example, FTP).

38 v4 header control length. total length of the datagram (header plus data), measured in bytes. s are rarely larger than 1,500 bytes. Identifier, flags, fragmentation offset. These three fields have to do with so-called fragmentation. Time-to-live. included to ensure that datagrams do not circulate forever (due to, for example, a long-lived loop) Decremented by one each time the datagram is processed by a router. If the TTL field reaches 0, the datagram must be dropped. Protocol. Used only when an datagram reaches its final destination. Value of this field indicates the specific transport-layer protocol to which the data portion of this datagram should be passed. For example, a value of 6 indicates that the data portion is passed to TCP, while a value of 17 indicates that the data is passed to UDP.

39 v4 header control Header checksum. aids a router in detecting bit errors in a received datagram. Source and destination addresses. When a source creates a datagram, it inserts its address into the source address field and inserts the address of the ultimate destination into the destination address field. Often the source host determines the destination address via a DNS lookup. Options. allow an header to be extended. Header options were meant to be used rarely. Data (payload). In most circumstances, the data field of the datagram contains the transport-layer segment to be delivered to the destination. Total of 20 bytes of header (assuming no options). If the datagram carries a TCP segment, then each (nonfragmented) datagram carries a total of 40 bytes of header (20 bytes of header plus 20 bytes of TCP header) along with message.

40 v4 header details control

41 v4 header details control Version The first header field in an packet is the four-bit version field. Header Length (IHL) The Header Length (IHL) field has 4 bits, which is the number of 32-bit words. Since an v4 header may contain a variable number of options, this field specifies the size of the header (this also coincides with the offset to the data). Differentiated Services Code Point (DSCP) Originally defined as the Type of service (ToS) field. An example is Voice over (Vo), which is used for interactive data voice exchange. Explicit Congestion Notification (ECN) This field is defined in RFC 3168 and allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that is only used when both endpoints support it and are willing to use it. It is only effective when supported by the underlying network.

42 v4 header details control Total Length This 16-bit field defines the entire packet size in bytes, including header and data. The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes. All hosts are required to be able to reassemble datagrams of size up to 576 bytes, but most modern hosts handle much larger packets. Sometimes links impose further restrictions on the packet size, in which case datagrams must be fragmented. Fragmentation in v4 is handled in either the host or in routers. Identification This field is an identification field and is primarily used for uniquely identifying the group of fragments of a single datagram. Flags A three-bit field follows and is used to control or identify fragments. They are (in order, from most significant to least significant):

43 v4 header details control Fragment Offset The fragment offset field is measured in units of eight-byte blocks. It is 13 bits long and specifies the offset of a particular fragment relative to the beginning of the original unfragmented datagram. Time To Live (TTL) An eight-bit time to live field helps prevent datagrams from persisting (e.g. going in circles) on an internet. It is specified in seconds, but time intervals less than 1 second are rounded up to 1. In practice, the field has become a hop countwhen the datagram arrives at a router, the router decrements the TTL field by one. When the TTL field hits zero, the router discards the packet and typically sends an Time Exceeded message to the sender. The program traceroute uses these Time Exceeded messages to print the routers used by packets to go from the source to the destination. Protocol This field defines the protocol used in the data portion of the datagram.

44 v4 header details control Header Checksum The 16-bit checksum field is used for error-checking of the header. When a packet arrives at a router, the router calculates the checksum of the header and compares it to the checksum field. If the values do not match, the router discards the packet. Errors in the data field must be handled by the encapsulated protocol. Source address This field is the v4 address of the sender of the packet. Note that this address may be changed in transit by a network address translation device. Destination address This field is the v4 address of the receiver of the packet. As with the source address, this may be changed in transit by a network address translation device. Options The options field is not often used. Data The data portion of the packet is not included in the packet checksum. Its contents are interpreted based on the value of the Protocol header field.

45 v4 fragmentation control

46 addresses in routers control The boundary between the host and the physical link is called an interface. The boundary between the router and any one of its links is also called an interface. A router thus has multiple interfaces, one for each of its links. Because every host and router is capable of sending and receiving datagrams, requires each host and router interface to have its own address. Thus, an address is technically associated with an interface, rather than with the host or router containing that interface.

47 v4 address control about 4 billion addresses

48 Interface addresses and subnets control

49 Subnet addressing control

50 Subnet addressing control To determine the subnets, detach each interface from its host or router, creating islands of isolated, with interfaces terminating the end points of the isolated. Each of these isolated is called a subnet.

51 Three routers interconnecting six subnets control

52 Obtaining address blocks control ISP provides addresses from a larger block of addresses that had already been allocated to the ISP. For example, the ISP may itself have been allocated the address block /20. The ISP, in turn, could divide its address block into eight equal-sized contiguous address blocks and give one of these address blocks out to each of up to eight organizations that are supported by this ISP, as shown below. (underlined the subnet part of these addresses for your convenience.)

53 control Dynamic Host Configuration Protocol (DHCP) client-server

54 DHCP process control DHCP discover message, which a client sends within a UDP packet to port 67, broadcast A DHCP server receiving a DHCP discover message responds to the client with a DHCP offer message that is broadcast to all nodes on the subnet, again using the broadcast address of DHCP request. The newly arriving client will choose from among one or more server offers and respond to its selected offer with a DHCP request message, echoing back the configuration parameters. DHCP ACK. The server responds to the DHCP request message with a DHCP ACK message, confirming the requested parameters.

55 DHCP query response control

56 Network address translation (NAT) control NAT router behaves to the outside world as a single device with a single address, matching external ports to internal network /port combinations What are problems with NAT?

57 Outline control 1 2 control 3 4 5

58 Control Message Protocol () control is often considered part of but architecturally it lies just above, as messages are carried inside datagrams. That is, messages are carried as payload, just as TCP or UDP segments are carried as payload. Similarly, when a host receives an datagram with specified as the upper-layer protocol, it demultiplexes the datagram s contents to, just as it would demultiplex a datagram s content to TCP or UDP. The well-known ping program sends an type 8 code 0 message to the specified host. The destination host, seeing the echo request, sends back a type 0 code 0 echo reply. Most TCP/ implementations support the ping server directly in the operating system; that is, the server is not a process Traceroute uses

59 Control Message Protocol () control

60 Outline control 1 2 control 3 4 5

61 v6 address format control

62 v6 header control

63 The most important changes introduced in v6: control Expanded addressing capabilities. v6 increases the size of the address from 32 to 128 bits. This ensures that the world won t run out of addresses. Now, every grain of sand on the planet can be -addressable. In addition to unicast and multicast addresses, v6 has introduced a new type of address, called an address, which allows a datagram to be delivered to any one of a group of hosts. This feature could be used, for example, to send an HTTP GET to the nearest of a number of mirror sites that contain a given document.

64 The most important changes introduced in v6: control A streamlined 40-byte header. A number of v4 fields have been dropped or made optional. The resulting 40-byte fixed-length header allows for faster of the datagram. A new encoding of options allows for more flexible options.

65 The most important changes introduced in v6: control Flow labeling and priority. v6 has an elusive definition of a flow. RFC 1752 and RFC 2460 state that this allows labeling of packets belonging to particular flows for which the sender requests special handling, such as a nondefault quality of service or real-time service. For example, audio and video transmission might likely be treated as a flow. On the other hand, the more traditional applications, such as file transfer and , might not be treated as flows. It is possible that the traffic carried by a high-priority user (for example, someone paying for better service for their traffic) might also be treated as a flow.

66 The following fields are defined in v6: control Version. This 4-bit field identifies the version number. Not surprisingly, v6 carries a value of 6 in this field. Note that putting a 4 in this field does not create a valid. If it did, life would be a lot simpler, see the discussion below regarding the transition from v4 to v6. Traffic class. This 8-bit field is similar in spirit to the TOS field we saw in v4. Flow label. As discussed above, this 20-bit field is used to identify a flow of datagrams. Payload length. This 16-bit value is treated as an unsigned integer giving the number of bytes in the v6 datagram following the fixed-length, 40-byte data- gram header.

67 The following fields are defined in v6: control Next header. This field identifies the protocol to which the contents (data field) of this datagram will be delivered (for example, to TCP or UDP). The field uses the same values as the protocol field in the v4 header. Hop limit. The contents of this field are decremented by one by each router that forwards the datagram. If the hop limit count reaches zero, the datagram is discarded. Source and destination addresses. The various formats of the v6 128-bit address are described in RFC Data. This is the payload portion of the. When the datagram reaches its destination, the payload will be removed from the datagram and passed on to the protocol specified in the next header field.

68 v6 header details control

69 v6 header details control Traffic class. 8-bit field is similar in spirit to the TOS field we saw in v4. Flow label. datagrams. 20-bit field is used to identify a flow of Payload length. This 16-bit value is treated as an unsigned integer giving the number of bytes in the v6 datagram following the fixed-length, 40-byte datagram header. Next header. This field identifies the protocol to which the contents (data field) of this datagram will be delivered (for example, to TCP or UDP). The field uses the same values as the protocol field in the v4 header. Hop limit. The contents of this field are decremented by one by each router that forwards the datagram. If the hop limit count reaches zero, the datagram is discarded.

70 v6 header details control Source and destination addresses. The various formats of the v6 128-bit address are described in RFC Data. This is the payload portion of the. When the datagram reaches its destination, the payload will be removed from the datagram and passed on to the protocol specified in the next header field.

71 Backwards compatibility via dual-stack control

72 Backwards compatibility via tunneling control

73 Outline control 1 2 control 3 4 5

74 control While TLS or SSH secure application layer, end-to-end encrypts the network layer. Cryptographic agreement. two communicating hosts to agree on cryptographic algorithms and keys. Encryption of datagram payloads. When the sending host receives a segment from the transport layer, encrypts the payload. The payload can only be decrypted by in the receiving host. Data integrity. allows the receiving host to verify that the datagram s header fields and encrypted payload were not modified while the datagram was en route from source to destination. Origin authentication. When a host receives an datagram from a trusted source (with a trusted key see), the host is assured that the source address in the datagram is the actual source of the datagram.

75 control When two hosts have an session established between them, all TCP and UDP segments sent between them will be encrypted and authenticated. therefore provides blanket coverage, securing all communication between the two hosts for all network applications.

76 Outline control 1 2 control 3 4 5

77 Abstract graph model of a computer network control Given any two nodes x and y, there are typically many paths between the two nodes, with each path having a cost. One or more of these paths is a least-cost path.

78 Outline control 1 2 control 3 4 5

79 table building algorithm control A global algorithm computes the least-cost path between a source and destination using complete, global knowledge about the network. That is, the algorithm takes the connectivity between all nodes and all link costs as inputs. broadcast to all nodes in the network, and then centrally perform Dijkstra s algorithm to find the shortest path on a graph

80 Least cost path and forwarding table for nodule u control

81 Outline control 1 2 control 3 4 5

82 table building algorithm control In a decentralized algorithm, the calculation of the least-cost path is carried out in an iterative, distributed manner. No node has complete information about the costs of all network links. Instead, each node begins with only the knowledge of the costs of its own directly attached links. Then, through an iterative process of calculation and exchange of information with its neighboring nodes (that is, nodes that are at the other end of links to which it itself is attached), a node gradually calculates the least-cost path to a destination or set of destinations.

83 Distance-vector (DV) algorithm control

84 Outline control 1 2 control 3 4 5

85 control : interconnected autonomous systems (AS)

86 Autonomous systems control Autonomous systems (ASs) consist of a group of router typically under the same administrative control (e.g., operated by the same ISP or belonging to the same company network). s within the same AS all run the same algorithm and have information about each other. The algorithm running within an autonomous system is called an intra-autonomous system protocol. Obtaining reachability information from neighboring ASs and propagating the reachability information to all routers internal to the AS, are handled by the inter-as protocol. Since the inter-as protocol involves communication between two ASs, the two communicating ASs must run the same inter-as protocol. In the all ASs run the same inter-as protocol, called BGP4

87 Outline control 1 2 control 3 4 5

88 Outline control 1 2 control 3 4 5

89 Distributed: Information Protocol (R) control Each router maintains a R table known as a table. A router s table includes both the router s distance vector and the router s forwarding table.

90 Distributed: Information Protocol (R) control

91 Outline control 1 2 control 3 4 5

92 Central: Open Shortest Path First (OSPF) control Used by mega-isps OSPF was conceived as the successor to R and as such has a number of advanced features. At its heart, however, OSPF is a link-state protocol that uses flooding of link-state information and a Dijkstra least-cost path algorithm. With OSPF, a router constructs a complete topological map (that is, a graph) of the entire autonomous system. The router then locally runs Dijkstra s shortest-path algorithm to determine a shortest-path tree to all subnets, with itself as the root node. Individual link costs are configured by the network administrator

93 Outline control 1 2 control 3 4 5

94 Border Gateway Protocol version 4 (BGP4) control

95 BGP provides each A.S. a means to: control 1 Obtain subnet reachability information from neighboring ASs. 2 Propagate the reachability information to all routers internal to the AS. 3 Determine good routes to subnets based on the reachability information and on AS policy. Most importantly, BGP allows each subnet to advertise its existence to the rest of the. A subnet screams I exist and I am here, and BGP makes sure that all the ASs in the know about the subnet and how to get there. If it weren t for BGP, each subnet would be isolated, alone and unknown by the rest of the.

96 Border Gateway Protocol version 4 (BGP4) control BGP session that spans two ASs is called an external BGP (ebgp) session BGP session between routers in the same AS is called an internal BGP (ibgp) session

97 Outline control 1 2 control 3 4 5

98 control In broadcast, the network layer provides a service of delivering a packet sent from a source node to all other nodes in the network; Multicast enables a single source node to send a copy of a packet to a subset of the other network nodes. v6 has introduced a new type of address, called an address, which allows a datagram to be delivered to any one of a group of hosts. This feature could be used, for example, to send an HTTP GET to the nearest of a number of mirror sites that contain a given document

99 Broadcast control When a host sends a datagram with destination address , the message is delivered to all hosts on the same subnet.

100 How to broadcast? control