Course Organization. The Internet as a Blackbox: Applications. Opening the Blackbox: The IP Protocol Stack

Course Organization The Internet as a Blackbox: Applications Basic terminology & concepts (protocols, API ) Dive into DNS, Email, HTTP, SNMP & their interface to the blackbox Opening the Blackbox: The IP Protocol Stack Basic terminology & concepts (layers, standard stack ) Dive into each layers New trends in the domain of computer networks 3.1.1

Telematics Chapter 3 Beispielbild The Internet as a Blackbox: Applications Dr. habil. Emmanuel Baccelli INRIA / Freie Universität Berlin Institute of Computer Science Computer Systems and Telematics (CST)

Context v Processes running locally vs. applications that require interaction with remote machines, e.g. a browser v For now, we consider the Internet as a virtual pipe, with simple bit delivery API based on IP addresses and port numbers. Client Server send(ip address, port, data) Client Process Internet Server Process rcv(port) Request Reply 3.1.4

CONTENT of this CHAPTER v DNS v HTTP and WWW v EMAIL v SNMP 3.1.5

CONTENT of this CHAPTER v DNS v HTTP and WWW v EMAIL v SNMP 3.1.6

Access to Remote Resources http://www.mi.fu-berlin.de/inf/groups/ag-tech/teaching/2013-14_ws/index.html http://www.mi.fu-berlin.de/inf/groups/ag-tech/teaching/2013-14_ws/index.html 3.1.7

Why Names? Why a level of indirection from name to IP address? easier to deal with for humans, compared to IP addresses abstracts application layer identifier from network layer identifier allows load balancing between servers easy aliasing from one name to another name Two fundamental aspects: Unique names Name resolution to IP address 3.1.8

Unique Names How can you ensure names are unique? Recursive solution Example Give responsibility of all.de names to an organization (e.g. DENIC) DENIC can delegate management of all fu-berlin.de names to the FU FU can then delegate management of all mi.fu-berlin.de names to Informatik Dep. Concepts Dotted namespace notation Hierarchy Delegation This solution ensures that Only one institution is named fu-berlin in the.de name space Only one department is named mi in the fu-berlin.de name space 3.1.9

From Content to IP Address URL http://www.mi.fu-berlin.de/inf/groups/ag-tech/teaching/2013-14_ws/index.html IP address mapping 160.45.117.199 80 inf/groups/ag-tech/teaching/2013-14_ws/index.html Resource ID = (IP address, port number, path) index.html Web server 3.1.10

Domain Name System (DNS): Basic Idea DNS: mapping of names to IP addresses Hosts configured with the IP address of a Name Server for name resolution Host Request Name Server Resolver Response Uses a distributed database: many name servers, each with local control Data of each local area accessed via client/server architecture Structured name space based on the Internet s administrative organization 3.1.11

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.12

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.13

The DNS Namespace: Tree The DNS namespace is structured as a tree Each node has a label, which identifies it relatively to the parent node Each node is root of a sub-tree (if not a leaf) Each sub-tree represents a domain Each domain can be divided into sub-domains Domain root com edu gov mil se de Sub-domain Oxford fu-berlin cs inf Generic Countries 3.1.14

The DNS Namespace Top-Level Domains Originally the name space was divided into seven Top-Level Domains: com: commercial organizations edu: educational organizations gov: government organizations mil: military organizations net: network organizations org: non-commercial organizations int: international organizations Additionally, each country has its own top-level domain The name space was extended in the meantime by further top-level domains biz, info, museum, name, pro, tv, xxx (http://www.icann.org/tlds ) Within each top-level domains, different conventions for name structuring: Australia: edu.au, com.au, etc. UK: co.uk (for commercial organizations), ac.uk (for academic organizations), etc. Other countries, e.g. Germany: no such conventions 3.1.15

The DNS Namespace: Leaf Nodes The name of a domain consists of a sequence of labels beginning with the root of the domain and going up to the root of the whole tree Each label is separated by. In the leaf nodes the IP addresses associated with the names are stored fu-berlin foo inf de Example: foo.inf.fu-berlin.de logical name: foo.inf.fu-berlin.de Associated IP address: 160.45.117.167 3.1.16

DNS Database The names of the domains serve as index for the DNS database ca or nv oakland ba rinkon la The data associated with a domain name are stored in Resource Records (RR) IP address: 192.2.18.44 3.1.17

Domain Name Aliasing Computers can have one or more secondary names Domain Name Aliases Aliases are pointers of one domain name to another one Canonical Domain Name us ca or nv ba la mailhub oakland rinkon IP address: 192.2.18.44 No IP address is stored, but a logical name: rinkon.ba.ca.us. 3.1.18

The DNS Database Namespace rules The depth of the tree is limited to 127 levels Each label can have up to 63 characters The whole domain name can have up to 255 characters A label of the length 0 is reserved for the root node ( ) Fully Qualified Domain Name (FQDN) is the absolute domain name, with reference to the root of the tree. Example: inf.fu-berlin.de. www.wikipedia.org. Domain names which are declared with reference to another domain are called relative domain names 3.1.19

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.20

DNS: Name Servers, Zones, and Domains Domains Administrative concept A domain is managed by a single organization The name of a domain corresponds to the domain name of the root node Can delegate the responsibility for subdomains to other organizations Maintains pointers to the roots of the sub-domains to be able to forward requests Name Servers and Zones Technical concepts Name server is a process that maintains a database for the name space The part of the name space a name server knows is called a zone Name server has authority over the zone May manage multiple zones, must store information about its zone(s) No standard guidelines how domains are divided into zones 3.1.21

DNS Domains: Examples Domain managed by ICANN edu com gov mil berkeley eecs Domain managed by UC Berkeley (domain berkeley.edu) 3.1.22

DNS: Types of Name Servers Primary Master of a zone mandatory reads the data from a local file (Zone Data Files) has database of RR describing subdomains & computers in zone Secondary Master of a zone optional replication of DNS database for reliability receives the data from another name server, which is authoritative for the zone. Primary master & secondary masters are both authoritative for the zone Distinction is only for performance & fault tolerance In most cases you get non-authoritative answers to DNS request! 3.1.23

DNS: Root Name Server Requests to which a name server cannot answer, are handed upward in the tree Inquiries thus often run over the root name server The root name server must always be available Replication 13 instances, distributed more or less worldwide http://www.root-servers.org Problem: This is still not reliable enough! E.g. BSD bug 3.1.24

Root Name Server: Current Replications 3.1.25

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.26

Name Resolution: Recursive and Iterative Two types of name resolution 1. Recursive resolution The name server replies either with the searched information or an error message The name server is responsible to contact as much other name servers as necessary 2. Iterative resolution A name server replies with the resolution or with the address of another name server The resolver has to contact additional name servers if it does not get the answer 3.1.27

Name Resolution: Recursive and Iterative Request for address of girigiri.gbrmpa.gov.au Reference to au name server root name server Name server Request for address of girigiri.gbrmpa.gov.au Reference to gov.au name server au name server au nz sg RECURSIVE Request Response Resolver girigiri.gbrmpa.gov.au?? Request for address of girigiri.gbrmpa.gov.au Reference to gbrmpa.gov.au name server Request for address of girigiri.gbrmpa.gov.au Address of girigiri.gbrmpa.gov.au ITERATIVE gov.au name server gbrmpa.gov.au name server sa gov edu ips gbrmpa 3.1.28

Scalability: Distribution via Delegation From anywhere in the world: Only 3 queries needed to resolve www.name.com into an IP address Access then possible through the Internet s bit-delivery service API Delegation root does not store the details of the names inside.de space.de register does not store the details of the names inside fu-berlin.de space etc. it goes on recursively Scalability via distribution Each name server must only stores a tiny part of the database The system ensures each part is stored at least once, in a well known location Efficient spreading of the total load on multiple machines 3.1.29

Reverse Lookup: from Addresses to Names Database indexed by names Mapping of a name to an address is simple Mapping of an address onto a name is more difficult to realize complete search of name space! Solution: a special area in the database with addresses as index The domain name for this area: in-addr.arpa in-addr.arpa domain has 256 sub-domains, each of which has 256 sub-domains On the 4 th level, the appropriate resource record is assigned with the IP address The IP address appears backwards because it is read beginning with the leaf node (IP address: 15.16.192.152 Æ sub-domain: 152.192.16.15.in-addr.arpa) 3.1.30

DNS Reverse Lookup: Example arpa in-addr 0 15 255 0 16 255 0 192 255 0 255 Very useful against spoofing! 152 hostname winnie.corp.hp.com 3.1.31

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.32

Example: Resource Records in a Zone File Label TTL Class Type Value 3.1.33

Resource Records (RR) RR: Entry in the zone data files General structure: (label, ttl, class, type, value) Type Used in Description A Host Address of a host; needed for name resolution CNAME Node Canonical name, i.e., reference (alias) to the true name HINFO Host Host information, additional information about the host (CPU, operating system) MINFO Domain Mailbox or mail list information, maps a mailbox or mail list name to a host MX Domain Mail exchange, refers to the mail server of the domain NS Zone Refers to the authoritative name server for the zone PTR Host Domain name pointer, used for the mapping of an address to a name SOA Zone Indicates the authority for the zone data SRV Domain Refers to a server which offers a certain service in the domain TXT Arbitrary Other useful information WKS Host Well-known services, may list the available services at this host. 3.1.34

Resource Records: NS Record NS = Name Server For each name server of a zone a NS record is created Example of NS Resource Records: movie.edu. IN NS terminator.movie.edu movie.edu. IN NS wormhole.movie.edu There are two name servers in the example; installed on the computers terminator and wormhole 3.1.36

Resource Records: Address Record A = ADDRESS At least one A record is needed for each host in the zone Example of A Resource Records: ; Host addresses localhost.movie.edu. IN A 127.0.0.1 robocop.movie.edu. IN A 192.249.249.2 terminator.movie.edu. IN A 192.249.249.3 diehard.movie.edu. IN A 192.249.249.4 misery.movie.edu. IN A 192.253.253.2 shining.movie.edu. IN A 192.253.253.3 carrie.movie.edu. IN A 192.253.253.4 ; ; Multihomed host ; wormhole.movie.edu IN A 192.249.249.1 wormhole.movie.edu IN A 192.253.253.1 3.1.37

Aliasing with CNAME Records CNAME = Canonical Name Optional entry in the database Examples of CNAME Records bigt.movie.edu. IN CNAME terminator.movie.edu. dh.movie.edu. IN CNAME diehard.movie.edu. terminator.movie.edu. IN A 192.249.249.1 diehard.movie.edu. IN A 192.253.253.1 A = ADDRESS CNAME = illustrates an alias on its canonical names For multi-homed computers (connected with several networks), an A record is needed for every secondary name if different aliases are to be stored for the addresses For a secondary name, which applies to both addresses, a CNAME record is created 3.1.38

Resource Records: SOA Record SOA = Start of Authority Indicates the name of primary master server, authoritative for the zone There can be only one SOA record in a zone file Example of SOA Resource Record: Name of Master Server Email address of contact person. First. means @ movie.edu. 7200 IN SOA terminator.movie.edu al.robocop.movie.edu ( 129846 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour Version number 604800 ; Expire after 1 week 86400) ; Minimum TTL OF 1 day Timing data for the zone See RFC 1035 3.1.39

Reverse Lookup: PTR Records PTR = Pointer Provides information for the mapping of addresses to names Example of PTR Resource Records: 1.249.249.192.in-addr.arpa. IN PTR wormhole.movie.edu. 2.249.249.192.in-addr.arpa. IN PTR robocop.movie.edu. 3.249.249.192.in-addr.arpa. IN PTR terminator.movie.edu. 4.249.249.192.in-addr.arpa. IN PTR diehard.movie.edu. Addresses should refer only to one name (the canonical name) 3.1.40

Mail Exchanger: MX Record MX = Mail Exchanger MX record serves for the controlling of email routing Specifies an email server responsible for a domain name Additionally, a preference can be indicated if several mail servers are present Example: peets.mpk.ca.us. IN MX 10 relay.hp.com. indicates that relay.hp.com is the mail server for peets.mpk.ca.us with preference 10 Only the relative preference value is important. the email server with the smallest value is addressed first 3.1.41

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.42

DNS Protocol DNS defines a single packet format, used both for inquiries and responses Identification: 16 bits for the definite identification of an inquiry to match requests and responses Identification 32 bits Flags Various flags (16 bits) including indication of 1. request/response 2. authoritative/not authoritative 3. iterative/recursive 4. recursion possible Number of : Indication of the contained number of inquiries resp. data records Number of Questions Number of Answers RR Number of Authority RR Number of Additional RR Questions (variable number of RR) Answers (variable number of RR) Authority (variable number of RR) Additional information (variable number of RR) Questions: Names to be resolved Answers: Resource records to the previous inquiry Authority: Identification of passed responsible name servers See RFC 1035 Additional information: further data to the inquiry. If the name searched is only an alias, the belonging resource record for the correct name is placed here. 3.1.43

Scalability: DNS Cache Local caching of recent resolutions Cache: cheap, saves time and offloads traffic Local name server cached entry Request for address of girigiri.gbrmpa.gov.au Address of girigiri.gbrmpa.gov.au gbrmpa.gov.au name server Remote name server Request Response Resolver girigiri.gbrmpa.gov.au?? 3.1.44

Scalability: DNS Cache Local caching of recent resolutions Cache: cheap, saves time and offloads traffic Local name server cached entry gbrmpa.gov.au name server Remote name server Request Response Resolver cached response AGAIN girigiri.gbrmpa.gov.au?? (and in fact, there is also a cache on the client) Caching is great but: How long are entries stored? When full, which entries to erase? How to detect & flush stale entries? Cache poisonning Security issues? a whole field of research 3.1.45

DNS Extensions Dynamic DNS (see RFC 2136) Simple and easy add of DNS data on the fly Security issues? (see RFC 3833) International character sets (allow characters like ä or ü) Original DNS supports only ASCII Security extensions with DNSSEC (see RFC 2535) Who is who? Spam defense Accept only emails from hosts which can be successfully resolved Extended DNS (large data transmission) Phone number entries RFID support Geographic location 3.1.46

About Domain Name System (DNS) Hierarchical namespace Name servers & zones Name resolution & address resolution DNS database entries DNS protocol Tools for DNS 3.1.47

DNS Tools Dig: command line tool to lookup DNS information x@y:~$ dig www.google.com ; <<>> DiG 9.2.4 <<>> www.google.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27292 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 9329 IN CNAME www.l.google.com. www.l.google.com. 251 IN A 209.85.129.147 www.l.google.com. 251 IN A 209.85.129.99 ;; AUTHORITY SECTION: l.google.com. 5117 IN NS a.l.google.com. l.google.com. 5117 IN NS b.l.google.com. l.google.com. 5117 IN NS c.l.google.com. ;; Query time: 1 msec ;; SERVER: 160.45.113.3#53(160.45.113.3) ;; WHEN: Thu Jan 31 09:03:59 2008 ;; MSG SIZE rcvd: 212 3.1.48

DNS Tools nslookup (deprecated) Lookup DNS information x:\>nslookup www.google.com Server: pyramid.mi.fu-berlin.de Address: 160.45.110.15 Non-authoritative answer: Name: www.l.google.com Addresses: 209.85.129.104, 209.85.129.147, 209.85.129.99 Aliases: www.google.com 3.1.49