chapter 4 network layer. chapter 4: network layer chapter goals: r understand principles behind...

Chapter 4Network Layer

Chapter 4: Network Layer

Chapter goals: understand principles behind network

layer services: network layer service models forwarding versus routing how a router works routing (path selection) dealing with scale IPv4 and IPv6


4. 1 Introduction 4.2 Virtual circuit

and datagram networks

4.3 What’s inside a router

4.4 IP: Internet Protocol Datagram format IPv4 addressing ICMP IPv6

4.5 Routing algorithms Link state Distance Vector Hierarchical routing

4.6 Routing in the Internet RIP OSPF BGP

Network layer transport segment from sending to receiving host

on sending side encapsulates segments into datagrams

on rcving side, delivers segments to transport layer

network layer protocols in every host and router

router examines header fields in all IP datagrams passing through it

application

transportnetworkdata linkphysical

application


networkdata linkphysical network

data linkphysical

networkdata linkphysical







networkdata linkphysicalnetwork

data linkphysical

Two Key Network-Layer Functions

forwarding: move packets from router’s input to appropriate router output

routing: determine route taken by packets from source to dest.

routing algorithms

analogy:

routing: process of planning trip from source to dest

forwarding: process of getting through single interchange

1

23

0111

value in arrivingpacket’s header

routing algorithm

local forwarding tableheader value output link

0100010101111001

3221

Interplay between routing and forwarding

Network service model

Q: What service model for “channel” transporting datagrams from sender to receiver?

Example services for individual datagrams:

guaranteed delivery guaranteed delivery

with less than 40 msec delay

Example services for a flow of datagrams:

in-order datagram delivery

guaranteed minimum bandwidth to flow

restrictions on changes in inter-packet spacing (jitter)

Why jitter is important, E.g., VoIP

VoIP requires that voice samples be played at a constant rate

5

6

7

•Moderate delay is not a problem

4 3 2 1

5 4 3 2 1 To hand set





5

6

4 3 2 1


7

•This buffer size just barely worked.

•If the delay had been bigger, then the voice would have dropped out, unless a larger buffer was used.

•Note that the problem was not the delay was large, but the change in delay


6 5 4 3 To hand set

6 5 4 To hand set

6 5 To hand set

6 To hand set

7 To hand set



5

6

7

•Jitter can cause the buffer to fill or empty.•In general, the larger the jitter, the larger the required buffer.•A large buffer adds delay so that the buffer delay is the same as the worst-case delay

•If average delay is small, but jitter is large, then a large buffer is needed, resulting in long delay

8

9

4 3 2 1


9 8 7 6 5 4 3 2 To hand set

Network layer service models:

NetworkArchitecture

Internet

ATM

ATM

ATM

ATM

ServiceModel

best effort

CBR

VBR

ABR

UBR

Bandwidth

none

constantrateguaranteedrateguaranteed minimumnone

Loss

no

yes

yes

no

no

Order

no

yes

yes

yes

yes

Timing

no

yes

yes

no

no

Congestionfeedback

no (inferredvia loss)nocongestionnocongestionyes

no

Guarantees ?

CBR = constant bit-rate (phone, not VoIP)VBR = variable bit-rate (e.g., variable bit-rate video, audio)ABR = available bit-rate. Like best effort but with guaranteed minimum bit-rate, but it gets feedback from the network to adjust the sending rateUBR = unspecified bit-rate. Like best effort

Why the different service models

Some application require bit-rate and delay guarantees. E.g., VoIP needs low delay (under 150 ms one-way is best,

over 400ms one-way is typically unacceptable) and 15kbps Thus, it would be nice if whenever the VoIP started, the

network would reserve enough bandwidth for the call otherwise, I will just use my landline i.e., I am willing to pay for this service (except that paying for

calls this against network neutrality) But this is wasteful

In VoIP, only one side talks at a time But the network can’t reserve half of the bit-rate.

The network can reserve the full bandwidth. And give the unused bandwidth as ABR (with the average bandwidth of ½ the VoIP bit-rate, since this is the average unused bit-rate)

However, if the VoIP traffic requires the bandwidth, the ABR must stop.

Network layer connection and connection-less service

datagram network provides network-layer connectionless service

VC network provides network-layer connection service

Virtual circuits

call setup, teardown for each call before data can flow each packet carries VC identifier (not destination host

address) every router on source-dest path maintains “state” for each

passing connection link, router resources (bandwidth, buffers) may be allocated

to VC (dedicated resources = predictable service)

“source-to-dest path behaves much like telephone circuit” performance-wise network actions along source-to-dest path

VC implementation

a VC consists of:1. path from source to destination2. VC numbers3. entries in forwarding tables in routers along path

A packet belonging to VC carries VC number (rather than dest address)

However, it is difficult to ensure that the VC number is unique across the network

Instead, the VC number is changed at each link

Packet Switching

Data is in packets, not streams. Must be digital Each packet has an address A switch/router reads the whole packet, then reads the address and

forwards the packet – store and forward

client

Server: address = 1

1dataA

B

C

D

FE

If destination is 1, then next

hop is B

If destination is 1, then

next hop is C

If destination is 1, then

next hop is

1data

1data

1data

Forwarding table

12 22 32

1 23

VC number

interfacenumber

Incoming interface Incoming VC # Outgoing interface Outgoing VC #

1 12 3 222 63 1 18 3 7 2 171 97 3 87… … … …

Forwarding table innorthwest router:

Routers maintain connection state information!

It is much easier to perform table lookup (to get the next hop information) on a 20-bit VC number than a 32 bit IP address (but this is not that important with high-speed ASICs)

Virtual circuits: signaling protocols

used to setup, maintain teardown VC used in ATM, frame-relay, X.25 not used in today’s Internet

application


application


1. Initiate call 2. incoming call

3. Accept call4. Call connected5. Data flow begins 6. Receive data

Datagram networks no call setup at network layer routers: no state about end-to-end connections

no network-level concept of “connection”

packets forwarded using destination host address packets between same source-dest pair may take

different paths

application


application


1. Send data 2. Receive data

MPLS (Multiprotocol Label Switching)

MPLS is widely used in large ISPs (e.g., AT&T) MPLS is a compromise between IP and VC. MPLS can run over an IP network. Today, most routers support MPLS and IP at the

same time MPLS uses label switching, which the the same

idea as VC number Packets have a 20-bit label When a packet arrives on an interface, the a table lookup

is performed, the output interface is found, next label is found, and the current label is changed to the next label

Label lookup is faster than IP address lookup. But speed isn’t really a concern

MPLS Architecture

Conceptually, there are three types of routers Ingress routers – where packets enter the network (e.g.,

move from UD to Cogent ) Egress routers – where packets exit the network (e.g.,

move from Cogent to AT&T) Internal routers – where packets remain inside the

network When an IP packet arrives at an ingress routers, a

lookup is performed based on the IP address If a match is found, then an MPLS header is put on the

packet along with the next hop label. That is, the packet is placed into an MPLS tunnel

From this point, the IP header is never examined. The forwarding is based on the MPLS label

When the packet arrives at an internal router, the label is switched, just like in a VC

When the packet reaches the egress router, the MPLS header is removed and the IP address is examined to determine the next hop (just like a regular IP router)

MPLS and Traffic Engineering

MPLS allows packets to follow tunnels These tunnels can be designed to

reduce the offered load on a link

NY

Saint LouisSF

Chicago

Dallas

DC

This link is congested with NY-SF, DC-SF, and Chicago-SF traffic

NY

Saint LouisSF

Chicago

Dallas

DC

•Packets arrive at Saint Louis with SF as destination, but they take different paths. •MPLS can do this•But IP forwarding cannot do this

•IP forwarding only examines the destination IP•Examining the 64 bit source and destination could accomplish this, but that would take a large table

MPLS and Traffic Engineering

Router Architecture Overview

Two key router functions: run routing algorithms/protocol (RIP, OSPF, BGP) forwarding datagrams from incoming to outgoing link

Input Port Functions

Decentralized switching: given datagram dest., lookup output

port using forwarding table in input port memory

goal: complete input port processing at ‘line speed’

queuing: if datagrams arrive faster than forwarding rate into switch fabric

Physical layer:bit-level reception

Data link layer:e.g., Ethernetsee chapter 5

Three types of switching fabrics

Switching Via MemoryFirst generation routers: traditional computers with switching under direct control of CPUpacket copied to system’s memory speed limited by memory bandwidth (2 bus crossings per datagram)

InputPort

OutputPort

Memory

System Bus

Switching Via a Bus

datagram from input port memory

to output port memory via a shared bus

bus contention: switching speed limited by bus bandwidth

32 Gbps bus, Cisco 5600: sufficient speed for access and enterprise routers

Switching Via An Interconnection Network

overcome bus bandwidth limitations Banyan networks, other interconnection nets

initially developed to connect processors in multiprocessor

advanced design: fragmenting datagram into fixed length cells, switch cells through the fabric.

Cisco 12000: switches 60 Gbps through the interconnection network

Output Ports

Buffering required when datagrams arrive from fabric faster than the transmission rate

Scheduling discipline chooses among queued datagrams for transmission

Output port queueing

buffering when arrival rate via switch exceeds output line speed

queueing (delay) and loss due to output port buffer overflow!

How much buffering?

RFC 3439 rule of thumb: average buffering equal to “typical” RTT (say 250 msec) times link capacity C e.g., C = 10 Gps link: 2.5 Gbit buffer

Recent recommendation: with N flows, buffering equal to RTT C.

N

Input Port Queuing

Fabric slower than input ports combined -> queueing may occur at input queues

Head-of-the-Line (HOL) blocking: queued datagram at front of queue prevents others in queue from moving forward

queueing delay and loss due to input buffer overflow!

The Internet Network layer

forwardingtable

Host, router network layer functions:

Routing protocols•path selection•RIP, OSPF, BGP

IP protocol•addressing conventions•datagram format•packet handling conventions

ICMP protocol•error reporting•router “signaling”

Transport layer: TCP, UDP

Link layer

physical layer

Networklayer

IPv4 datagram format

ver length

32 bits

data (variable length,typically a TCP

or UDP segment)

16-bit identifier

header checksum

time tolive

32 bit source IP address

IP protocol versionnumber

header length (bytes)

total datagramlength (bytes)

upper layer protocolto deliver payload to

head.len

type ofservice

“type” of data flgsfragment

offset

forfragmentation/reassembly

upper layer

max numberremaining hops

(decremented at each router)

32 bit destination IP address

Options (if any) E.g. timestamp,record routetaken, specifylist of routers to visit. Typically, these are ignored

how much overhead with TCP?

20 bytes of TCP 20 bytes of IP = 40 bytes + app

layer overhead

IPv4 Fragmentation & Reassembly

network links have MTU (max.transfer size) - largest possible link-level frame.

different link types, different MTUs

E.g., ethernet allows 1500B frames

802.11 allows 2346B frames It would be very difficult for the end

host to know the correct packet size Note that larger packets are more

efficient (less bandwidth is consumed by the header)

Large IP datagram divided (“fragmented”) within the network

one datagram becomes several datagrams

“reassembled” only at final destination

IP header bits used to identify, order related fragments

fragmentation: in: one large datagramout: 3 smaller datagrams

reassembly

IPv4 Fragmentation and Reassembly

ID=x

offset=0

fragflag=0

length=4000

ID=x

offset=0

fragflag=1

length=1500

ID=x

offset=185

fragflag=1

length=1500

ID=x

offset=370

fragflag=0

length=1040

One large datagram becomesseveral smaller datagrams

Example 4000 byte

datagram MTU = 1500

bytes

1480 bytes in data field

offset =1480/8

Stealthy Scanning

Before attacking a network, one must learn which hosts are present.

That is, which IP addresses have host that are running various services (e.g., listening on various TCP ports)

This is done by scanning. For example, sending an ICMP ping message to random IP address or sending TCP-SYN messages

What happens if a host receives an TCP-SYN on a port that is not listening

It depends on the OS, but the typically, a TCP-RST packet is generated

ISPs (e.g., UD) will look for scanners and take action (e.g., disconnect them)

So what is an attacker to do?

Stealthy Scanning

SomeMachine

attacker

victim

ICMP echo-request (ping)

ICMP echo reply with IP-ID = X

TCP-SYN: Dest=Victim, Source=SomeMachine

If victim exists and port is open: TCP-SYN-ACK

Some machine is confused (it didn’t send a TCP-SYN)TCP-RST with IP-ID = X + 1

ICMP echo reply with IP-ID = X+2

Since the IP-ID incremented by 2, the victim must have sent a SYN-ACK.If the IP-ID only incremented by 1, then the victim is not listening on the port, or does not exist

Attacker records IP-ID=X

IP Addressing: introduction IP address: 32-bit identifier

for host, router interface interface: connection

between host/router and physical link

router’s typically have multiple interfaces

host typically has a small number (ethernet and wifi)

IP addresses associated with each interface

• It is possible to have more than one

• Virtual machines could each have an IP address

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

223.1.1.1 = 11011111 00000001 00000001 00000001

223 1 11

Ipv4 special addresses: http://tools.ietf.org/html/rfc5735

Subnets IP address:

subnet part (high order bits)

host part (low order bits)

What’s a subnet ? device interfaces with

same subnet part of IP address

can physically reach each other without intervening router (but perhaps a layer 2 switch)

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

network consisting of 3 subnets

subnet

Subnets 223.1.1.0/24223.1.2.0/24

223.1.3.0/24

Recipe To determine the

subnets, detach each interface from its host or router, creating islands of isolated networks. Each isolated network is called a subnet.

Subnet mask: /24

SubnetsHow many? 223.1.1.1

223.1.1.3

223.1.1.4

223.1.2.2223.1.2.1

223.1.2.6

223.1.3.2223.1.3.1

223.1.3.27

223.1.1.2

223.1.7.0

223.1.7.1223.1.8.0223.1.8.1

223.1.9.1

223.1.9.2

IP addressing: CIDR

CIDR: Classless InterDomain Routing subnet portion of address of arbitrary length address format: a.b.c.d/x, where x is # bits in

subnet portion of address

11001000 00010111 00010000 00000000

Subnet part or CIDR-block

hostpart

200.23.16.0/23

IP addresses: how to get one?

Q: How does network get subnet part of IP addr?

A: gets allocated portion of its provider ISP’s address space

ISP's block 11001000 00010111 00010000 00000000 200.23.16.0/20

Organization 0 11001000 00010111 00010000 00000000 200.23.16.0/23 Organization 1 11001000 00010111 00010010 00000000 200.23.18.0/23 Organization 2 11001000 00010111 00010100 00000000 200.23.20.0/23 ... ….. …. ….

Organization 7 11001000 00010111 00011110 00000000 200.23.30.0/23

Hierarchical addressing: route aggregation

“Send me anythingwith addresses beginning 200.23.16.0/20”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

ISP1

Organization 0

Organization 7 Internet

Organization 1

ISP2“Send me anythingwith addresses beginning 199.31.0.0/16”

200.23.20.0/23Organization 2

...

...

Hierarchical addressing allows efficient advertisement of routing information:

This way, the whole 32 bit address does not need to be examined

Border Router

Hierarchical addressing: more specific routes

ISP2 has a more specific route to Organization 1

“Send me anythingwith addresses Beginning with 200.23.16.0/20”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

ISP1

Organization 0

Organization 7

Organization 1

ISP2“Send me anythingwith addresses beginning 199.31.0.0/16or 200.23.18.0/23”


...

...InternetBorder Router

Longest prefix matching

Prefix Match Link Interface200.23.16.0/20 0 200.23.18.0/23 1199.31.0.0/16 1 otherwise 2

Border Router Forwarding Table

If a packet with destination address 200.23.18.12 arrives at the boarder router, then is it forwarding to interface 0 or 1?Since interface 1 has a longer match, it goes to interface 1



“Send me anythingwith addresses Beginning with 200.23.16.0/20”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

ISP1

Organization 0

Organization 7

Organization 1



...




“Send me anythingwith addresses Beginning with 200.23.16.0/20200.23.18.0/24200.23.19.0/24”

200.23.16.0/23

200.23.18.0/23

200.23.30.0/23

ISP1

Organization 0

Organization 7

Organization 1



...


IP addressing: the last word...

Q: How does an ISP get block of addresses?

A: ICANN: Internet Corporation for Assigned

Names and Numbers allocates addresses manages DNS assigns domain names, resolves disputes ICANN allocates chunks of addresses to Regional

Internet Registry (RIR), which allocate them to organizations in their region

NAT: Network Address Translation

10.0.0.1

10.0.0.2

10.0.0.3

10.0.0.4

138.76.29.7

local network(e.g., home network)

10.0.0/24

rest ofInternet

Datagrams with source or destination in this networkhave 10.0.0/24 address for

source, destination (as usual)

All datagrams leaving localnetwork have same single source

NAT IP address: 138.76.29.7,different source port numbers


Motivation: local network uses just one IP address as far as outside world is concerned: range of addresses not needed from ISP: just

one IP address for all devices can change addresses of devices in local network

without notifying outside world can change ISP without changing addresses of

devices in local network devices inside local net not explicitly

addressable, visible by outside world (a security plus).


Implementation: NAT router must:

outgoing datagrams: replace (source IP address, port #) of every outgoing datagram to (NAT IP address, new port #). . . remote clients/servers will respond using (NAT IP

address, new port #) as destination addr.

remember (in NAT translation table) every (source IP address, port #) to (NAT IP address, new port #) translation pair

incoming datagrams: replace (NAT IP address, new port #) in dest fields of every incoming datagram with corresponding (source IP address, port #) stored in NAT table


10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.1, 3345D: 128.119.40.186, 80

1

10.0.0.4

138.76.29.7

1: host 10.0.0.1 sends datagram to 128.119.40.186, 80

NAT translation tableWAN side addr LAN side addr

128.119.40.186, 80, 5001 10.0.0.1, 3345…… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5001D: 128.119.40.186, 80

2

2: NAT routerchanges datagramsource addr from10.0.0.1, 3345 to138.76.29.7, 5001,updates table

S: 128.119.40.186, 80 D: 138.76.29.7, 5001

3

3: Reply arrives dest. address: 138.76.29.7, 5001

4: NAT routerchanges datagramdest addr from138.76.29.7, 5001 to 10.0.0.1, 3345

NAT: Network Address Translation(without port translation)

10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.1, 3345D: 128.119.40.186, 80

1

10.0.0.4

138.76.29.7



128.119.40.186, 80, 3345 10.0.0.1, 3345…… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 3345D: 128.119.40.186, 80

2


S: 128.119.40.186, 80 D: 138.76.29.7, 3345

3



NAT: Network Address Translation(without port translation)

10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.2, 3345D: 128.119.40.186, 8010.0.0.4

138.76.29.7



128.119.40.186, 80, 3345 10.0.0.1, 3345128.119.40.186, 80, 3345 10.0.0.2, 3345

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 3345D: 128.119.40.186, 80

2

S: 128.119.40.186, 80 D: 138.76.29.7, 3345

3

3: Reply arrives dest. address: 138.76.29.7, 3345????


Source port conflict!


10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.1, 3345D: 128.119.40.186, 80

1

10.0.0.4

138.76.29.7



128.119.40.186, 80, 5001 10.0.0.1, 3345…… ……

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5001D: 128.119.40.186, 80

2


S: 128.119.40.186, 80 D: 138.76.29.7, 5002

3




10.0.0.1

10.0.0.2

10.0.0.3

S: 10.0.0.2, 3345D: 128.119.40.186, 8010.0.0.4

138.76.29.7



128.119.40.186, 80, 5001 10.0.0.1, 3345128.119.40.186, 80, 5002 10.0.0.2, 3345

S: 128.119.40.186, 80 D: 10.0.0.1, 3345

4

S: 138.76.29.7, 5002D: 128.119.40.186, 80

2

S: 128.119.40.186, 80 D: 138.76.29.7, 5002

3

3: Reply arrives dest. address: 138.76.29.7:5002



16-bit port-number field: 65,000 simultaneous connections with a

single LAN-side address! NAT is controversial:

routers should only process up to layer 3 violates end-to-end argument

• NAT possibility must be taken into account by app designers, eg, P2P applications

• The NAT must know about TCP and UDP. What about other transport protocols?

address shortage should instead be solved by IPv6

NAT traversal problem How can skype connect one client to another

when NATs are present?

138.76.29.7

Client

10.0.0.1

NAT router

NAT router


167.6.2.5


138.76.29.7, 2124 192.168.1.23, 3345…… ……



138.76.29.7

Client

10.0.0.1

NAT router

NAT router


167.6.2.5


138.76.29.7, 2124 192.168.1.23, 3345…… ……

*: 80*:? (DMZ)

10.0.0.1: 8010.0.0.2:?

NAT traversal problem

138.76.29.7

Client in the lab

10.0.0.1

NAT Router

192.168.1.1


138.76.29.7


138.76.29.7, 2124 192.168.1.23, 3345…… ……

*: 80*:? (DMZ)

10.0.0.1: 8010.0.0.1:?

VNC server at home



138.76.29.7

Client

10.0.0.1

NAT router

NAT router


167.6.2.5


138.76.29.7, 2124 192.168.1.23, 3345…… ……

voip

NAT traversal problem client wants to connect to

server with address 10.0.0.1 server address 10.0.0.1 local

to LAN (client can’t use it as destination addr)

only one externally visible NATted address: 138.76.29.7

solution 1: statically configure NAT to forward incoming connection requests at given port to server e.g., (123.76.29.7, port

2500) always forwarded to 10.0.0.1 port 25000

10.0.0.1

10.0.0.4

NAT router

138.76.29.7

Client?

NAT traversal problem solution 2: Universal Plug

and Play (UPnP) Internet Gateway Device (IGD) Protocol. Allows NATted host to: learn public IP address

(138.76.29.7) add/remove port

mappings (with lease times)

i.e., automate static NAT port map configuration

10.0.0.1

10.0.0.4

NAT router

138.76.29.7

IGD

NAT traversal problem solution 3: relaying (used in Skype)

NATed client establishes connection to relay

External client connects to relay relay bridges packets between to

connections

138.76.29.7

Client

10.0.0.1

NAT router

1. connection torelay initiatedby NATted host

2. connection torelay initiatedby client

3. relaying established

IP addresses: how to get one?

Q: How does a host get IP address?

hard-coded by system admin in a file Windows: control-panel->network->configuration-

>tcp/ip->properties UNIX: /etc/rc.config

DHCP: Dynamic Host Configuration Protocol: dynamically get address from as server “plug-and-play”

DHCP: Dynamic Host Configuration Protocol

Goal: allow host to dynamically obtain its IP address from network server when it joins networkCan renew its lease on address in useAllows reuse of addresses (only hold address while connected an “on”)Support for mobile users who want to join network (more shortly)

DHCP overview: host broadcasts “DHCP discover” msg DHCP server responds with “DHCP offer” msg host requests IP address: “DHCP request” msg DHCP server sends address: “DHCP ack” msg

DHCP client-server scenario

223.1.1.1

223.1.1.2

223.1.1.3

223.1.1.4 223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

A

BE

DHCP server

arriving DHCP client needsaddress in thisnetwork

DHCP client-server scenarioDHCP server: 223.1.2.5 arriving

client

time

DHCP discover

src : 0.0.0.0, port: 68 dest.: 255.255.255.255, port: 67yiaddr: 0.0.0.0transaction ID: 654

DHCP offer

src: 223.1.2.5, port: 67 dest: 255.255.255.255, port: 68yiaddrr: 223.1.2.4transaction ID: 654Lifetime: 3600 secs

DHCP request

src: 0.0.0.0, port: 68 dest:: 255.255.255.255, port: 67yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs

DHCP ACK

src: 223.1.2.5, port: 67 dest: 255.255.255.255, port: 68yiaddrr: 223.1.2.4transaction ID: 655Lifetime: 3600 secs

ICMP: Internet Control Message Protocol

used by hosts & routers to communicate network-level information error reporting:

unreachable host, network, port, protocol

echo request/reply (used by ping)

network-layer “above” IP: ICMP msgs carried in IP

datagrams ICMP message: type, code

plus first 8 bytes of IP datagram causing error

Type Code description0 0 echo reply (ping)3 0 dest. network unreachable3 1 dest host unreachable3 2 dest protocol unreachable3 3 dest port unreachable3 6 dest network unknown3 7 dest host unknown4 0 source quench (congestion control - not used)8 0 echo request (ping)9 0 route advertisement10 0 router discovery11 0 TTL expired12 0 bad IP header

Traceroute and ICMP

Source sends series of UDP or ICMP segments to dest First has TTL =1 Second has TTL=2, etc. Unlikely port number

When nth datagram arrives to nth router: Router discards

datagram And (might) send to

source an ICMP message (type 11, code 0)

Message includes name of router& IP address

When ICMP message arrives, source calculates RTT

Traceroute does this 3 times

Stopping criterion UDP or ICMP segment

eventually arrives at destination host

Destination (might) return ICMP “host unreachable” packet (type 3, code 3)

When source gets this ICMP, stops.

ICMP ping flood

Send many ICMP ping messages to a web server

The server will not be able to respond fast enough, and hence not be able to provide is primary service

Denial of service attack (DoS)

DDoS (distributed DoS). Many hosts send ICMP ping messages to a web server

One defense is to filter out messages from hosts that send too many ICMP messages

So, attackers send ICMP messages, but with a random source address.

Or attackers can send ICMP messages to random hosts but with the source address of the victim

One defense is to filter all ICMP messages

IPv6 Initial motivation: 32-bit address space soon to be

completely allocated.

Additional motivation: header format helps speed processing/forwarding “header changes to facilitate QoS and built-in security”IPv6 datagram format: fixed-length 40 byte header no fragmentation allowed

IPv6 Header (Cont)Priority: identify priority among datagrams in flow, like TOS in IPv4Flow Label: identify datagrams in same “flow.” (concept of“flow” not well defined).

•e.g., all pkts in a VoIP call would have the same flow. Allowing these pkts to be treated the same (e.g., flow the same path to avoid pkt reordering)

Next header: identify upper layer protocol for data (like protocol number in IPv4) Payload length is the length of the payload only (slightly different form IPv4 pkt length)

128 bit address permits 5×10^28 addressed for each person on the planet

Other Changes from IPv4 Checksum: removed entirely to reduce processing time at

each hop

Fragmentation: removed, but new ICMP messages to inform the source of the MTU. Also, the source network layer can fragment messages which are reassembled at the destination

Options: allowed, but outside of header, indicated by “Next Header” field Fragmentation is supported by a next header

ICMPv6: new version of ICMP additional message types, e.g. “Packet Too Big” multicast group management functions

Transition From IPv4 To IPv6

Not all routers can be upgraded simultaneous no “flag days” How will the network operate with mixed IPv4

and IPv6 routers? Tunneling: IPv6 carried as payload in IPv4

datagram among IPv4 routers

TunnelingA B E F

IPv6 IPv6 IPv6 IPv6

tunnelLogical view:

Physical view:A B E F

IPv6 IPv6 IPv6 IPv6IPv4 IPv4

TunnelingA B E F

IPv6 IPv6 IPv6 IPv6

tunnelLogical view:

Physical view:A B E F

IPv6 IPv6 IPv6 IPv6

C D

IPv4 IPv4

Flow: XSrc: ADest: F

data


data


data

Src:BDest: E


data

Src:BDest: E

A-to-B:IPv6

E-to-F:IPv6

B-to-C:IPv6 inside

IPv4

B-to-C:IPv6 inside

IPv4

IPv6 Addresses 128 bit addresses

The address space is broken into chunks (as will be explained) So each address is not really assignable

Sample address 2001:0410:0004:0000:0000:09C0:7341:A2DF

Often the address has a long string of zeros. These can be replaced with :: 2001:0410:0004::09C0:7341:A2DF But only one :: can be used in each address

If a field has leading zeros, it can be replaced with the non zero part 2001:0410:4::09C0:7341:A2DF

Loop back address ::1 or 0000:0000:0000:0000:0000:0000:0000:0001

http://[2001:0410:4::09C0:7341:A2DF]/index.html ugly! I guess we need DNS

::FFFF:128.4.2.10 can allow the IPv4 address to be embedded in a IPv6 address.

However, because of implementation and security issues, not all system support this

IPv6 broadcast

IPv4 allows broadcast – where all hosts on the subnet receive the message 255.255.255.255 is the broadcast address On the subnet 128.4.2/24, the broadcast address is

128.4.2.255 IPv6 does not really have broadcast. Instead, it has local multicast, where every host in a

subnet gets the message (well, this seems to be the same thing that IPv4 did. IPv4

does really let you broadcast over the entire internet) FF02::1 is the local broadcast address

IPv6 Address Scope

In IPv6, the address has scope, i.e., the address is valid in some region

FE80::/10 is a link local addresses. These addresses are only used inside a subnet

(customer network) Routers do not forward these

FF00::/8 are multicast address (global scope) Everything else are global unicast addresses

(global scope)

IPv6 Unicast Addressing

2001

112 bits16 bits

2001::/16 is initially assigned for unicast addresses

20017 bits

Each Regional Internet Registry (RIR) get 7 bit IDs from IANAThus, the RIR has a /23 and allocates address from this spaceThe RIR is responsible for allocating addressesRIRs: APNIC (asia/pac), ARIN (n. america), LACNIC (S. America), RIPE NCC (europe, middle east, central asia), AfriNIC (africa)

20017 bits

RIRs give /32 to ISPs (a /32 has 96 bits available to give to customers… sort of)With only 9 bits, the RIR will quickly run out of addresses and will ask IANA for another chunk. In total, 2^(7+9) = 65536 ISP chunks can be allocated(65536 does not seem like a huge number of ISPs

9 bits

2000::/3 are unicast addresses

IPv6 Unicast addresses continued

20017 bits 9 bits

96 bits of space available to ISP

ISP allocates chunks of this space to customers. The size of the space varies.Often a customers can get a /64 (giving the customers 64 bits of addresses) and allow an ISP to have 2^32 customers!Instead of a /64, a customers might get a /48 or /56 (at one time, ISPs were supposed to give /48, but this is not happening)

RIR ISP

20017 bits 9 bits

RIR ISP

This part of the address identifies the

customer

32 bits


ISP

The ISP address is embedded in the customer address.•What if the customer has two ISPs (multihomed)?!•What if the customer moves to another ISP?•E.g., Udel EECIS has a /16 IPv4 address block. We have had it for a long time even though we have changed ISP

IPv6 Unicast addresses continued

Three ways to assign 64 bit interface ID DHCP Manual Auto config

• Expand the 48 MAC address to 64 bit• Eg MAC = 00:90:27:17:FC:0F• 64 bit MAC = 00:90:27:FF:FE:17:FC:0F• MAC: organizational ID (3 bytes) : interface ID (3 bytes)• ~Future MAC: organizational ID (4 bytes) : interface ID (4 bytes), so 00:90:27:FF is like a organizational part and

FE:17:FC:0F is the interface part• Also, of the most significant 8 bits,

– the first bit = 0 => unicast and 1 => multicast

– The second bit = 0 => globally unique MAC address, 1 => locally administered MAC address

• Interface ID (aka EUI-64): 02:90:27:FF:FE:17:FC:0F– The locally administered MAC address bit is set

• Once the interface ID is determined, the router can be queried for the upper 64 bits of the address

Supposedly auto config is good enough. But what about when a host has many virtual machines (VMs) and each needs an address?

20017 bits 9 bits

RIR ISP

Interface ID

32 bits

customer


customer

IPv6 Interface ID

The interface ID is the same as the MAC Thus, a web site can examine the IPv6 address to

determine your MAC and hence identify the end-host This is a significant privacy problem Also, MAC addresses can be guessed (e.g., I know

Apple’s organizational part and can guess the lower 3 bytes. In this way I can find MACs)

Using random interface IDs solves these problems, but might also result in address collision

DHCP is another solution DHCP is needed anyway to set the DNS server








4.7 Broadcast and multicast routing

chapter 4 network layer. chapter 4: network layer chapter goals: r understand principles behind...

Documents

network layer slide

datagrams r

host r

network layer services

ipv6 r

dest r

r restrictions

introduction r